Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nkCBRtd25H.exe

Overview

General Information

Sample name:nkCBRtd25H.exe
renamed because original name is a hash value
Original sample name:2c6652f7e01283de091b5200b7878e69.exe
Analysis ID:1587586
MD5:2c6652f7e01283de091b5200b7878e69
SHA1:c7503315a496a65c28e4be9fb397ffb830c54f8f
SHA256:c1e1f6eb7ac42447f53711eae48af5b53fb6d75c9ce43cf7e4edc413ccfb36f4
Tags:exeuser-abuse_ch
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • nkCBRtd25H.exe (PID: 7120 cmdline: "C:\Users\user\Desktop\nkCBRtd25H.exe" MD5: 2C6652F7E01283DE091B5200B7878E69)
    • nkCBRtd25H.exe (PID: 6952 cmdline: "C:\Windows\TEMP\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe" -burn.clean.room="C:\Users\user\Desktop\nkCBRtd25H.exe" -burn.filehandle.attached=640 -burn.filehandle.self=636 MD5: 2C6652F7E01283DE091B5200B7878E69)
      • RescueCDBurner.exe (PID: 2544 cmdline: C:\Windows\TEMP\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe MD5: 11C8962675B6D535C018A63BE0821E4C)
        • RescueCDBurner.exe (PID: 2356 cmdline: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe MD5: 11C8962675B6D535C018A63BE0821E4C)
          • cmd.exe (PID: 1656 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • LocalCtrl_alpha_v3.exe (PID: 4632 cmdline: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe MD5: 967F4470627F823F4D7981E511C9824F)
  • RescueCDBurner.exe (PID: 2800 cmdline: "C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe" MD5: 11C8962675B6D535C018A63BE0821E4C)
    • cmd.exe (PID: 2404 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • LocalCtrl_alpha_v3.exe (PID: 2748 cmdline: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe MD5: 967F4470627F823F4D7981E511C9824F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeReversingLabs: Detection: 28%
Multi AV Scanner detection for submitted file
Source: nkCBRtd25H.exeVirustotal: Detection: 51%Perma Link
Source: nkCBRtd25H.exeReversingLabs: Detection: 28%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\qnotbcquwqoirfJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\qkjwvkpsnwrihbJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0040ED3B DecryptFileW,0_2_0040ED3B
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0044A2D0 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,0_2_0044A2D0
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0040EA4B DecryptFileW,0_2_0040EA4B
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0040DA0E CreateFileW,GetLastError,DecryptFileW,CloseHandle,0_2_0040DA0E
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0040DB8F CreateFileW,GetLastError,DecryptFileW,CloseHandle,0_2_0040DB8F
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0040ECE9 DecryptFileW,0_2_0040ECE9
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E4ED3B DecryptFileW,2_2_00E4ED3B
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E8A2D0 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,2_2_00E8A2D0
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E4EA4B DecryptFileW,2_2_00E4EA4B
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E4DA0E CreateFileW,GetLastError,DecryptFileW,CloseHandle,2_2_00E4DA0E
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E4DB8F CreateFileW,GetLastError,DecryptFileW,CloseHandle,2_2_00E4DB8F
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E4ECE9 DecryptFileW,2_2_00E4ECE9
Source: RescueCDBurner.exe, 00000003.00000002.2271930031.000000006C379000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_5f7e63af-4
Source: nkCBRtd25H.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeFile opened: C:\Windows\TEMP\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\msvcr100.dllJump to behavior
Source: nkCBRtd25H.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: msvcr100.i386.pdb source: RescueCDBurner.exe, RescueCDBurner.exe, 00000003.00000003.2251288229.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2271731324.000000006C211000.00000020.00000001.01000000.0000000E.sdmp, RescueCDBurner.exe, 00000004.00000002.2332134181.000000006B2B1000.00000020.00000001.01000000.00000016.sdmp, RescueCDBurner.exe, 0000000C.00000002.2599670615.000000006C3F1000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: msvcp100.i386.pdb source: RescueCDBurner.exe, 00000003.00000002.2273400890.000000006E501000.00000020.00000001.01000000.0000000D.sdmp, RescueCDBurner.exe, 00000004.00000002.2332398108.000000006B371000.00000020.00000001.01000000.00000015.sdmp
Source: Binary string: D:\a\wix4\wix4\build\burn\Release\x86\burn.pdb source: nkCBRtd25H.exe, 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmp, nkCBRtd25H.exe, 00000000.00000000.2215566262.000000000045E000.00000002.00000001.01000000.00000003.sdmp, nkCBRtd25H.exe, 00000002.00000000.2222737602.0000000000E9E000.00000002.00000001.01000000.00000005.sdmp, nkCBRtd25H.exe, 00000002.00000002.2541627056.0000000000E9E000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: R:\Codes\TXFTNActiveX\TXFTNActiveX\ReleaseUMinDependency\TXFTNActiveX.pdb 0]n source: nkCBRtd25H.exe, 00000002.00000002.2543452575.000000006E5C1000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: wntdll.pdbUGP source: RescueCDBurner.exe, 00000003.00000002.2271364836.000000000A0B2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2271553353.000000000A410000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330545573.000000000A2EC000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330719148.000000000A640000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2331019742.000000000A9FF000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599301884.0000000004EAB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2601742717.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RescueCDBurner.exe, 00000003.00000002.2271364836.000000000A0B2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2271553353.000000000A410000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330545573.000000000A2EC000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330719148.000000000A640000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2331019742.000000000A9FF000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599301884.0000000004EAB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2601742717.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\wix4\wix4\build\burn\Release\x86\burn.pdb> source: nkCBRtd25H.exe, 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmp, nkCBRtd25H.exe, 00000000.00000000.2215566262.000000000045E000.00000002.00000001.01000000.00000003.sdmp, nkCBRtd25H.exe, 00000002.00000000.2222737602.0000000000E9E000.00000002.00000001.01000000.00000005.sdmp, nkCBRtd25H.exe, 00000002.00000002.2541627056.0000000000E9E000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0 source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0L source: RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: R:\Codes\TXFTNActiveX\TXFTNActiveX\ReleaseUMinDependency\TXFTNActiveX.pdb source: nkCBRtd25H.exe, 00000002.00000002.2543452575.000000006E5C1000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Release\i386\StarBurn.pdb source: RescueCDBurner.exe, 00000003.00000002.2273246345.000000006CEA1000.00000020.00000001.01000000.00000008.sdmp, RescueCDBurner.exe, 00000004.00000002.2335567848.000000006BD91000.00000020.00000001.01000000.00000011.sdmp
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_003F5C81 GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,MoveFileExW,MoveFileExW,GetLastError,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,0_2_003F5C81
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_00441290 FindFirstFileExW,0_2_00441290
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0045343B FindFirstFileW,FindClose,0_2_0045343B
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0040E72A FindFirstFileW,FindNextFileW,FindClose,0_2_0040E72A
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E81290 FindFirstFileExW,2_2_00E81290
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E9343B FindFirstFileW,FindClose,2_2_00E9343B
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E4E72A FindFirstFileW,FindNextFileW,FindClose,2_2_00E4E72A
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E35C81 GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,MoveFileExW,MoveFileExW,GetLastError,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,2_2_00E35C81
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5A0D44 _wcsncpy,_wcsncat,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wsprintfW,FindNextFileW,FindClose,2_2_6E5A0D44
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5A0534 _memset,FindFirstFileW,FindClose,2_2_6E5A0534
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5772FA __EH_prolog3_GS,GetACP,GetACP,GetACP,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,2_2_6E5772FA
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E57B005 _wcsncpy,_wcsncat,wsprintfW,wsprintfW,FindFirstFileW,GetTickCount,GetTickCount,GetTickCount,wsprintfW,GetTickCount,wsprintfW,FindNextFileW,FindClose,2_2_6E57B005
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C26CC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,3_2_6C26CC23
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C26C8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,3_2_6C26C8FD
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C2381A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,3_2_6C2381A1
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 4x nop then or byte ptr [edi], dh3_2_6C227270
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E593C16 recv,2_2_6E593C16
Source: RescueCDBurner.exe, 00000003.00000002.2271930031.000000006C379000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: B6lQLocalSocketPrivate::completeAsyncReadQLocalSocketPrivate::startAsyncReadQLocalSocket::waitForReadyRead WaitForSingleObject failed with error code %d.\\.\pipe\QLocalSocket::connectToServer%1: %2QLocalServerPrivate::addListener1_q_onNewConnection()QLocalServerPrivate::_q_onNewConnectione-islem.kktcmerkezbankasi.org2148*.EGO.GOV.TR2087MD5 Collisions Inc. (http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0Digisign Server ID - (Enrich)1276011370Digisign Server ID (Enrich)12000170511846442971184640175DigiNotar Public CA 20251e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Extended Validation CAd6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar PKIoverheid CA Organisatie - G220001983DigiNotar PKIoverheid CA Overheid en Bedrijven20015536120000515120000505DigiNotar Cyber CA1200005251184640176DigiNotar Qualified CA5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41CertiID Enterprise Certificate Authoritya4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21DigiNotar Root CA G20a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Services 1024 CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Root CA0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c*.google.com05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56global trusteed8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0login.live.comb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0addons.mozilla.org92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43login.skype.come9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:473e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:7139:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29login.yahoo.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3www.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06mail.google.com04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1eSTOULCNOStateOrProvinceNameOrganizationalUnitNameLocalityNameCountryNameCommonNameOrganizationQMap(-----END CERTIFICATE----- equals www.yahoo.com (Yahoo)
Source: RescueCDBurner.exe, 00000004.00000002.2333562061.000000006B4E9000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: BMkQLocalSocketPrivate::completeAsyncReadQLocalSocketPrivate::startAsyncReadQLocalSocket::waitForReadyRead WaitForSingleObject failed with error code %d.\\.\pipe\QLocalSocket::connectToServer%1: %2QLocalServerPrivate::addListener1_q_onNewConnection()QLocalServerPrivate::_q_onNewConnectione-islem.kktcmerkezbankasi.org2148*.EGO.GOV.TR2087MD5 Collisions Inc. (http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0Digisign Server ID - (Enrich)1276011370Digisign Server ID (Enrich)12000170511846442971184640175DigiNotar Public CA 20251e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Extended Validation CAd6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar PKIoverheid CA Organisatie - G220001983DigiNotar PKIoverheid CA Overheid en Bedrijven20015536120000515120000505DigiNotar Cyber CA1200005251184640176DigiNotar Qualified CA5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41CertiID Enterprise Certificate Authoritya4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21DigiNotar Root CA G20a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Services 1024 CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Root CA0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c*.google.com05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56global trusteed8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0login.live.comb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0addons.mozilla.org92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43login.skype.come9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:473e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:7139:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29login.yahoo.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3www.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06mail.google.com04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1eSTOULCNOStateOrProvinceNameOrganizationalUnitNameLocalityNameCountryNameCommonNameOrganizationQMap(-----END CERTIFICATE----- equals www.yahoo.com (Yahoo)
Source: global trafficDNS traffic detected: DNS query: bamarelakij.site
Source: nkCBRtd25H.exeString found in binary or memory: http://appsyndication.org/2006/appsyn
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://b.chenall.net/menu.lst
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://bug.reneelab.com
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003User
Source: RescueCDBurner.exe, 00000003.00000002.2271930031.000000006C379000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.2333562061.000000006B4E9000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://bugreports.qt-project.org/
Source: RescueCDBurner.exe, 00000003.00000002.2271930031.000000006C379000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.2333562061.000000006B4E9000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://grub4dos.chenall.net/e/%u)
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://isecure-a.reneelab.com/webapi.php?code=
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=http://isecure-a.reneelab.com/webapi.php?code=http://
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://isecure.reneelab.com/webapi.php?code=
Source: RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
Source: RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0W
Source: RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
Source: RescueCDBurner.exe, 00000004.00000002.2334915831.000000006BAEE000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://qt.digia.com/
Source: RescueCDBurner.exe, 00000004.00000002.2334915831.000000006BAEE000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://qt.digia.com/product/licensing
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
Source: RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://support.reneelab.com/anonymous_requests/new
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItalia
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
Source: RescueCDBurner.exe, 00000003.00000003.2255428203.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2273561508.000000006E7D9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000004.00000002.2332755111.000000006B419000.00000002.00000001.01000000.00000014.sdmp, RescueCDBurner.exe, 0000000C.00000002.2606228422.000000006FC99000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
Source: RescueCDBurner.exe, 00000003.00000003.2255428203.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2273561508.000000006E7D9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000004.00000002.2332755111.000000006B419000.00000002.00000001.01000000.00000014.sdmp, RescueCDBurner.exe, 0000000C.00000002.2606228422.000000006FC99000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-start-end-entityUnknown
Source: RescueCDBurner.exe, 00000003.00000003.2255428203.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2273561508.000000006E7D9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000004.00000002.2332755111.000000006B419000.00000002.00000001.01000000.00000014.sdmp, RescueCDBurner.exe, 0000000C.00000002.2606228422.000000006FC99000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
Source: RescueCDBurner.exe, 00000003.00000003.2255428203.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2273561508.000000006E7D9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000004.00000002.2332755111.000000006B419000.00000002.00000001.01000000.00000014.sdmp, RescueCDBurner.exe, 0000000C.00000002.2606228422.000000006FC99000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespa
Source: nkCBRtd25H.exe, 00000000.00000003.2544522030.000000000308B000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2544172711.0000000005945000.00000004.00000800.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2217003693.0000000003040000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2216913687.0000000003049000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2544333693.00000000051F0000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2544820065.000000000308B000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2217034011.000000000308B000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2216913687.000000000308B000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2217034011.0000000003040000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000002.00000002.2543258127.0000000005390000.00000004.00000800.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000002.00000002.2541874593.0000000003058000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000002.00000002.2542530050.0000000004B60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/v4/2008/Burn
Source: nkCBRtd25H.exe, 00000002.00000002.2543258127.0000000005390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/v4/2008/BurnHd
Source: nkCBRtd25H.exe, 00000002.00000003.2239504312.0000000003080000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000002.00000003.2239558042.0000000003080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/v4/BootstrapperApplicationData
Source: nkCBRtd25H.exe, 00000002.00000003.2239504312.0000000003080000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000002.00000003.2239558042.0000000003080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/v4/BundleExtensionData
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.???.xx/?search=%s
Source: RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.google-analytics.com/collect
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A3B000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009D6A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.0000000005202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
Source: RescueCDBurner.exe, 00000003.00000002.2271930031.000000006C379000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.2333562061.000000006B4E9000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.phreedom.org/md5)
Source: RescueCDBurner.exe, 00000003.00000002.2271930031.000000006C379000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.2333562061.000000006B4E9000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0D
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.biz/
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.biz/redefinir-senha-de-admin-logon-windows.htmlhttp://support.reneelab.com/anony
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.cc/
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.com.cn/
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newst
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.com/
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstore
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.de/
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.es/
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.fr/
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.it/
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.it/reimpostare-passwordi-di-windows-login.html
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.jp/
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.kr/
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.net/
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/n
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.pl/
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurcha
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.ru/
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.com
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.de
Source: RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.surfok.de/
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
Source: RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipbo
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
Source: RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.winimage.com/zLibDll1.2.6
Source: RescueCDBurner.exe, 00000003.00000003.2255428203.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2273561508.000000006E7D9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000004.00000002.2332755111.000000006B419000.00000002.00000001.01000000.00000014.sdmp, RescueCDBurner.exe, 0000000C.00000002.2606228422.000000006FC99000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: RescueCDBurner.exe, 00000003.00000003.2255428203.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2273561508.000000006E7D9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000004.00000002.2332755111.000000006B419000.00000002.00000001.01000000.00000014.sdmp, RescueCDBurner.exe, 0000000C.00000002.2606228422.000000006FC99000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://xml.org/sax/features/namespaces
Source: LocalCtrl_alpha_v3.exe, 00000010.00000003.3294802619.00000000004E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bamarelakij.site:4432
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://downloads.reneelab.com.cn/download_api.php
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://downloads.reneelab.com.cn/passnow/passnow_
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://downloads.reneelab.com/download_api.php
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?ac
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://downloads.reneelab.com/passnow/passnow_
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_x
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://www.reneelab.com
Source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://www.reneelab.comwww.reneelab.comhttp://https://0
Source: C:\Users\user\Desktop\nkCBRtd25H.exeFile deleted: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_004442FB0_2_004442FB
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_004493980_2_00449398
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0042940D0_2_0042940D
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_004114C40_2_004114C4
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_004224F70_2_004224F7
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_003F94F00_2_003F94F0
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0041469C0_2_0041469C
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_003FF7880_2_003FF788
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0043C80C0_2_0043C80C
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_004018D80_2_004018D8
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0042DAA40_2_0042DAA4
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0042EC050_2_0042EC05
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_00443E500_2_00443E50
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_00405F140_2_00405F14
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E842FB2_2_00E842FB
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E893982_2_00E89398
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E624F72_2_00E624F7
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E394F02_2_00E394F0
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E514C42_2_00E514C4
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E6940D2_2_00E6940D
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E5469C2_2_00E5469C
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E3F7882_2_00E3F788
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E418D82_2_00E418D8
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E7C80C2_2_00E7C80C
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E6DAA42_2_00E6DAA4
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E6EC052_2_00E6EC05
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E83E502_2_00E83E50
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E45F142_2_00E45F14
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5A6D602_2_6E5A6D60
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5B84442_2_6E5B8444
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5A64E82_2_6E5A64E8
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E59A50C2_2_6E59A50C
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5B03C52_2_6E5B03C5
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5A61002_2_6E5A6100
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5B1E1A2_2_6E5B1E1A
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5A5D2E2_2_6E5A5D2E
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5B7D852_2_6E5B7D85
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5B78342_2_6E5B7834
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E59182C2_2_6E59182C
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5919312_2_6E591931
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5A59902_2_6E5A5990
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5A54FB2_2_6E5A54FB
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5B72E32_2_6E5B72E3
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5993D92_2_6E5993D9
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C25ECCD3_2_6C25ECCD
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C229D653_2_6C229D65
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C23457E3_2_6C23457E
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C223DD03_2_6C223DD0
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C22867F3_2_6C22867F
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C2297A03_2_6C2297A0
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C228F833_2_6C228F83
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C2270933_2_6C227093
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C2409193_2_6C240919
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C23911E3_2_6C23911E
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C2121F03_2_6C2121F0
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C223A1C3_2_6C223A1C
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C2272703_2_6C227270
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C2B7A5A3_2_6C2B7A5A
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C22A2A73_2_6C22A2A7
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C2243A63_2_6C2243A6
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C26A3DD3_2_6C26A3DD
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: String function: 6C22B046 appears 39 times
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: String function: 6C220C80 appears 46 times
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: String function: 00437210 appears 33 times
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: String function: 003F1228 appears 1404 times
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: String function: 003F1225 appears 865 times
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: String function: 003FA2D7 appears 83 times
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: String function: 004501DE appears 91 times
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: String function: 003F2ACF appears 56 times
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: String function: 00E32ACF appears 56 times
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: String function: 00E901DE appears 91 times
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: String function: 6E5A46DC appears 355 times
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: String function: 6E5A83C0 appears 42 times
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: String function: 00E77210 appears 33 times
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: String function: 6E577A7F appears 125 times
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: String function: 00E31228 appears 1404 times
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: String function: 00E31225 appears 865 times
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: String function: 6E5A4745 appears 79 times
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: String function: 00E3A2D7 appears 83 times
Source: LocalCtrl_alpha_v3.exe.5.drStatic PE information: Resource name: ZIP type: Zip archive data (empty)
Source: qnotbcquwqoirf.14.drStatic PE information: Number of sections : 12 > 10
Source: qkjwvkpsnwrihb.5.drStatic PE information: Number of sections : 12 > 10
Source: nkCBRtd25H.exe, 00000000.00000000.2215686293.0000000000490000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelangue.exe4 vs nkCBRtd25H.exe
Source: nkCBRtd25H.exe, 00000002.00000002.2543630343.000000006E5DA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameTXFTNActiveX.DLLR vs nkCBRtd25H.exe
Source: nkCBRtd25H.exe, 00000002.00000002.2541742554.0000000000ED0000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamelangue.exe4 vs nkCBRtd25H.exe
Source: nkCBRtd25H.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: classification engineClassification label: mal84.evad.winEXE@18/32@13/0
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0044A747 FormatMessageW,GetLastError,LocalFree,0_2_0044A747
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0044B884 LookupPrivilegeValueW,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,0_2_0044B884
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E8B884 LookupPrivilegeValueW,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,2_2_00E8B884
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0044FE01 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,0_2_0044FE01
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0045699C FindResourceExA,GetLastError,LoadResource,GetLastError,SizeofResource,GetLastError,LockResource,GetLastError,0_2_0045699C
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_004298F9 ChangeServiceConfigW,GetLastError,0_2_004298F9
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_testJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2244:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
Source: C:\Users\user\Desktop\nkCBRtd25H.exeFile created: C:\Users\user\AppData\Local\Temp\Rubrician_20250110092530.cleanroom.logJump to behavior
Source: nkCBRtd25H.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: nkCBRtd25H.exeVirustotal: Detection: 51%
Source: nkCBRtd25H.exeReversingLabs: Detection: 28%
Source: nkCBRtd25H.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: nkCBRtd25H.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: C:\Users\user\Desktop\nkCBRtd25H.exeFile read: C:\Users\user\Desktop\nkCBRtd25H.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\nkCBRtd25H.exe "C:\Users\user\Desktop\nkCBRtd25H.exe"
Source: C:\Users\user\Desktop\nkCBRtd25H.exeProcess created: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe "C:\Windows\TEMP\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe" -burn.clean.room="C:\Users\user\Desktop\nkCBRtd25H.exe" -burn.filehandle.attached=640 -burn.filehandle.self=636
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeProcess created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe C:\Windows\TEMP\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeProcess created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe "C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Source: C:\Users\user\Desktop\nkCBRtd25H.exeProcess created: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe "C:\Windows\TEMP\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe" -burn.clean.room="C:\Users\user\Desktop\nkCBRtd25H.exe" -burn.filehandle.attached=640 -burn.filehandle.self=636Jump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeProcess created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe C:\Windows\TEMP\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeProcess created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeSection loaded: feclient.dllJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeSection loaded: feclient.dllJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: starburn.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: qtcore4.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: qtgui4.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: qtnetwork4.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: qtxml4.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: pla.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: tdh.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: starburn.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtcore4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtgui4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtnetwork4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtxml4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtcore4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtcore4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtcore4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: pla.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: starburn.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtcore4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtgui4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtnetwork4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtxml4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: pla.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32Jump to behavior
Source: uhaaeyhthwk.5.drLNK file: ..\..\Roaming\Remoteservicezoo_test\RescueCDBurner.exe
Source: nkCBRtd25H.exeStatic file information: File size 14302064 > 1048576
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeFile opened: C:\Windows\TEMP\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\msvcr100.dllJump to behavior
Source: nkCBRtd25H.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: nkCBRtd25H.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: nkCBRtd25H.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: nkCBRtd25H.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: nkCBRtd25H.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: nkCBRtd25H.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: nkCBRtd25H.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: nkCBRtd25H.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: msvcr100.i386.pdb source: RescueCDBurner.exe, RescueCDBurner.exe, 00000003.00000003.2251288229.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2271731324.000000006C211000.00000020.00000001.01000000.0000000E.sdmp, RescueCDBurner.exe, 00000004.00000002.2332134181.000000006B2B1000.00000020.00000001.01000000.00000016.sdmp, RescueCDBurner.exe, 0000000C.00000002.2599670615.000000006C3F1000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: msvcp100.i386.pdb source: RescueCDBurner.exe, 00000003.00000002.2273400890.000000006E501000.00000020.00000001.01000000.0000000D.sdmp, RescueCDBurner.exe, 00000004.00000002.2332398108.000000006B371000.00000020.00000001.01000000.00000015.sdmp
Source: Binary string: D:\a\wix4\wix4\build\burn\Release\x86\burn.pdb source: nkCBRtd25H.exe, 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmp, nkCBRtd25H.exe, 00000000.00000000.2215566262.000000000045E000.00000002.00000001.01000000.00000003.sdmp, nkCBRtd25H.exe, 00000002.00000000.2222737602.0000000000E9E000.00000002.00000001.01000000.00000005.sdmp, nkCBRtd25H.exe, 00000002.00000002.2541627056.0000000000E9E000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: R:\Codes\TXFTNActiveX\TXFTNActiveX\ReleaseUMinDependency\TXFTNActiveX.pdb 0]n source: nkCBRtd25H.exe, 00000002.00000002.2543452575.000000006E5C1000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: wntdll.pdbUGP source: RescueCDBurner.exe, 00000003.00000002.2271364836.000000000A0B2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2271553353.000000000A410000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330545573.000000000A2EC000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330719148.000000000A640000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2331019742.000000000A9FF000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599301884.0000000004EAB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2601742717.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RescueCDBurner.exe, 00000003.00000002.2271364836.000000000A0B2000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2271553353.000000000A410000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330545573.000000000A2EC000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330719148.000000000A640000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2331019742.000000000A9FF000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599301884.0000000004EAB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2601742717.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\wix4\wix4\build\burn\Release\x86\burn.pdb> source: nkCBRtd25H.exe, 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmp, nkCBRtd25H.exe, 00000000.00000000.2215566262.000000000045E000.00000002.00000001.01000000.00000003.sdmp, nkCBRtd25H.exe, 00000002.00000000.2222737602.0000000000E9E000.00000002.00000001.01000000.00000005.sdmp, nkCBRtd25H.exe, 00000002.00000002.2541627056.0000000000E9E000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0 source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0L source: RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: R:\Codes\TXFTNActiveX\TXFTNActiveX\ReleaseUMinDependency\TXFTNActiveX.pdb source: nkCBRtd25H.exe, 00000002.00000002.2543452575.000000006E5C1000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb source: RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Release\i386\StarBurn.pdb source: RescueCDBurner.exe, 00000003.00000002.2273246345.000000006CEA1000.00000020.00000001.01000000.00000008.sdmp, RescueCDBurner.exe, 00000004.00000002.2335567848.000000006BD91000.00000020.00000001.01000000.00000011.sdmp
Source: nkCBRtd25H.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nkCBRtd25H.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nkCBRtd25H.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nkCBRtd25H.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nkCBRtd25H.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5B530E LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,2_2_6E5B530E
Source: qnotbcquwqoirf.14.drStatic PE information: real checksum: 0x26dceb should be: 0x26a793
Source: QtCore4.dll.2.drStatic PE information: real checksum: 0x283beb should be: 0x284aa4
Source: Ascidian.dll.2.drStatic PE information: real checksum: 0x77117 should be: 0x7ccd7
Source: QtCore4.dll.3.drStatic PE information: real checksum: 0x283beb should be: 0x284aa4
Source: qkjwvkpsnwrihb.5.drStatic PE information: real checksum: 0x26dceb should be: 0x26a793
Source: StarBurn.dll.2.drStatic PE information: real checksum: 0xa4afa should be: 0xab76c
Source: StarBurn.dll.3.drStatic PE information: real checksum: 0xa4afa should be: 0xab76c
Source: nkCBRtd25H.exeStatic PE information: section name: .didat
Source: nkCBRtd25H.exeStatic PE information: section name: .wixburn
Source: nkCBRtd25H.exe.0.drStatic PE information: section name: .didat
Source: nkCBRtd25H.exe.0.drStatic PE information: section name: .wixburn
Source: LocalCtrl_alpha_v3.exe.5.drStatic PE information: section name: Shared
Source: qkjwvkpsnwrihb.5.drStatic PE information: section name: .xdata
Source: qkjwvkpsnwrihb.5.drStatic PE information: section name: sfdel
Source: qnotbcquwqoirf.14.drStatic PE information: section name: .xdata
Source: qnotbcquwqoirf.14.drStatic PE information: section name: sfdel
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0048E000 push ss; ret 0_2_0048E01D
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0045CAD3 push ecx; ret 0_2_0045CAE6
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00ECE000 push ss; ret 2_2_00ECE01D
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E9CAD3 push ecx; ret 2_2_00E9CAE6
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E574910 push ebp; retf 2_2_6E57491B
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5A47B4 push ecx; ret 2_2_6E5A47C7
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5A8405 push ecx; ret 2_2_6E5A8418
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C220CC5 push ecx; ret 3_2_6C220CD8
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C212D88 push eax; ret 3_2_6C212DA6
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C22B658 push ecx; ret 3_2_6C22B66B
Source: StarBurn.dll.2.drStatic PE information: section name: .text entropy: 6.9340411158815725
Source: msvcr100.dll.2.drStatic PE information: section name: .text entropy: 6.9169969425576285
Source: msvcr100.dll.3.drStatic PE information: section name: .text entropy: 6.9169969425576285
Source: StarBurn.dll.3.drStatic PE information: section name: .text entropy: 6.9340411158815725
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\StarBurn.dllJump to dropped file
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeJump to dropped file
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtNetwork4.dllJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeJump to dropped file
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\StarBurn.dllJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\msvcp100.dllJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\msvcr100.dllJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\qnotbcquwqoirfJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtXml4.dllJump to dropped file
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\msvcr100.dllJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtGui4.dllJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtNetwork4.dllJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\qkjwvkpsnwrihbJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtCore4.dllJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeJump to dropped file
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\msvcp100.dllJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\Ascidian.dllJump to dropped file
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtGui4.dllJump to dropped file
Source: C:\Users\user\Desktop\nkCBRtd25H.exeFile created: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeJump to dropped file
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtCore4.dllJump to dropped file
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtXml4.dllJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\StarBurn.dllJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\msvcp100.dllJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\msvcr100.dllJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtXml4.dllJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtGui4.dllJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtNetwork4.dllJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtCore4.dllJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeFile created: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\Ascidian.dllJump to dropped file
Source: C:\Users\user\Desktop\nkCBRtd25H.exeFile created: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\qkjwvkpsnwrihbJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\qnotbcquwqoirfJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\QKJWVKPSNWRIHB
Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\QNOTBCQUWQOIRF
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C26A3DD GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,3_2_6C26A3DD
Source: C:\Users\user\Desktop\nkCBRtd25H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeAPI/Special instruction interceptor: Address: 6BED7C44
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeAPI/Special instruction interceptor: Address: 6BED7C44
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeAPI/Special instruction interceptor: Address: 6BED7945
Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6BED3B54
Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qnotbcquwqoirfJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qkjwvkpsnwrihbJump to dropped file
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeDropped PE file which has not been started: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\Ascidian.dllJump to dropped file
Source: C:\Users\user\Desktop\nkCBRtd25H.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-49247
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeEvasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\Desktop\nkCBRtd25H.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-49121
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeAPI coverage: 6.0 %
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe TID: 1976Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe TID: 6188Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe TID: 6188Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe TID: 3108Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe TID: 3108Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0044A805 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0044A8A0h0_2_0044A805
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0044A805 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0044A899h0_2_0044A805
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E8A805 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00E8A8A0h2_2_00E8A805
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E8A805 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00E8A899h2_2_00E8A805
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_003F5C81 GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,MoveFileExW,MoveFileExW,GetLastError,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,0_2_003F5C81
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_00441290 FindFirstFileExW,0_2_00441290
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0045343B FindFirstFileW,FindClose,0_2_0045343B
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0040E72A FindFirstFileW,FindNextFileW,FindClose,0_2_0040E72A
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E81290 FindFirstFileExW,2_2_00E81290
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E9343B FindFirstFileW,FindClose,2_2_00E9343B
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E4E72A FindFirstFileW,FindNextFileW,FindClose,2_2_00E4E72A
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E35C81 GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,MoveFileExW,MoveFileExW,GetLastError,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,2_2_00E35C81
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5A0D44 _wcsncpy,_wcsncat,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wsprintfW,FindNextFileW,FindClose,2_2_6E5A0D44
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5A0534 _memset,FindFirstFileW,FindClose,2_2_6E5A0534
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5772FA __EH_prolog3_GS,GetACP,GetACP,GetACP,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,2_2_6E5772FA
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E57B005 _wcsncpy,_wcsncat,wsprintfW,wsprintfW,FindFirstFileW,GetTickCount,GetTickCount,GetTickCount,wsprintfW,GetTickCount,wsprintfW,FindNextFileW,FindClose,2_2_6E57B005
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C26CC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,3_2_6C26CC23
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C26C8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,3_2_6C26C8FD
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C2381A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,3_2_6C2381A1
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0045C535 VirtualQuery,GetSystemInfo,0_2_0045C535
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: VMware
Source: RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
Source: RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
Source: RescueCDBurner.exe, 00000003.00000003.2252711868.000000000A7EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: [ed'ee.?AVQEmulationPaintuser@@0/
Source: RescueCDBurner.exe, 00000004.00000002.2335245789.000000006BCFF000.00000008.00000001.01000000.00000013.sdmpBinary or memory string: k.?AVQEmulationPaintuser@@0/fk
Source: RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
Source: RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
Source: RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
Source: RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
Source: RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: <&version=&md5=&newsize=&registercode=&registertime=&langStr=&fname=&lname=&email=&activecode=action=wbrb\\.\PhysicalDrive0VMwareb71710ea1f7bf1b2
Source: RescueCDBurner.exe, 00000003.00000002.2272828409.000000006CB8F000.00000008.00000001.01000000.0000000C.sdmpBinary or memory string: l.?AVQEmulationPaintuser@@0/Ol
Source: RescueCDBurner.exe, 00000003.00000002.2272828409.000000006CB8F000.00000008.00000001.01000000.0000000C.sdmp, RescueCDBurner.exe, 00000003.00000003.2252711868.000000000A7EF000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2335245789.000000006BCFF000.00000008.00000001.01000000.00000013.sdmpBinary or memory string: .?AVQEmulationPaintuser@@
Source: C:\Users\user\Desktop\nkCBRtd25H.exeAPI call chain: ExitProcess graph end nodegraph_0-50545
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0043D3EE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043D3EE
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5B530E LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,2_2_6E5B530E
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_003F540B GetProcessHeap,RtlAllocateHeap,0_2_003F540B
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_00437142 SetUnhandledExceptionFilter,0_2_00437142
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0043D3EE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043D3EE
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_00436B18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00436B18
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_00436FAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00436FAF
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E77142 SetUnhandledExceptionFilter,2_2_00E77142
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E7D3EE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00E7D3EE
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E76B18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00E76B18
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_00E76FAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00E76FAF
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5A46CD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6E5A46CD
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5926E8 _wcscpy,_wcscpy,_wcscpy,_wcscpy,SetErrorMode,SetUnhandledExceptionFilter,2_2_6E5926E8
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5AD4E7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6E5AD4E7
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C29AD2C _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,3_2_6C29AD2C
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: 3_2_6C2207A7 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,3_2_6C2207A7

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7D6E8548AJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryValueKey: Direct from: 0x14011D93EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateFile: Direct from: 0x7FF638E4CCB0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF638CD813EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtOpenKeyEx: Direct from: 0x7FF638CDDD6DJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeNtSetInformationThread: Direct from: 0x6FCC7B9CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7D6DF3F62Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateFile: Direct from: 0x7FF638CEBE25Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF7D6FFDD26Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationToken: Direct from: 0x7FF7D6EA9CC5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x7FF638E4EB94
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationProcess: Direct from: 0x7FF638CF0ECFJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQuerySystemInformation: Direct from: 0x7FF7D6ED8A54Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7D6ED7905Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryValueKey: Direct from: 0x7FF7D6EACE0CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF638CEFA56Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationProcess: Direct from: 0x7FF638E55ABEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF7D6FEFA02Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF7D6E7813EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryValueKey: Direct from: 0x7FF7D6EAD451Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF638C62902Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeNtSetInformationThread: Direct from: 0x6BD97B9CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x14011D808Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtReadVirtualMemory: Direct from: 0x7FF7D6FECA0BJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtSetInformationProcess: Direct from: 0x7FF7D6E91DA7Jump to behavior
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x7FF7D6FF10A5
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryValueKey: Direct from: 0x7FF7D6EAD818Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtSetInformationProcess: Direct from: 0x7FF638CF1DA7Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationProcess: Direct from: 0x7FF7D6E90ECFJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x7FF7D6FF1097
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtSetInformationThread: Direct from: 0x7FF638E5C5E6Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7D6FEFE30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF7D6E8FA56Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationToken: Direct from: 0x7FF7D6ED4F99Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7D6E02437Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF638C5A27EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF638C601D4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateThreadEx: Direct from: 0x7FF638C54267Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF638E5DC4EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x7FF638E51083
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateFile: Direct from: 0x7FF7D6E8BE25Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF638CE548AJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF638CEB5DBJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryValueKey: Direct from: 0x7FF7D6EACC2EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateThreadEx: Direct from: 0x7FF638C540C8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateFile: Direct from: 0x7FF7D6FEEB76Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtOpenKeyEx: Direct from: 0x7FF7D6E7DD6DJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF638C53F62Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x7FF7D6E91682
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtReadFile: Direct from: 0x7FF638CEBF81Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF7D6E81094Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FFDB4404B5EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtSetInformationProcess: Direct from: 0x7FF638CF0DF7Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF638CD8213Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryValueKey: Direct from: 0x7FF638D0CC2EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x7FF638E51097
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateFile: Direct from: 0x7FF7D6FECCB0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7D6E8BF24Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF7D6FFDC4EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtReadVirtualMemory: Direct from: 0x7FF638E4CA0BJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x7FF7D6FF1083
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF638CE0C76Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationProcess: Direct from: 0x7FF638CF1386Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeNtQuerySystemInformation: Direct from: 0x773763E1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x7FF7D6FEEB94
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryValueKey: Direct from: 0x7FF638D0D818Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x7FF638E510A5
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF638D38A54Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF638D37905Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF7D6E78213Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF7D6FFC5E6Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF638E4FA02Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQuerySystemInformation: Direct from: 0x7FF7D6FF5ABEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryValueKey: Direct from: 0x7FF638D0D451Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF638E4FE30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF638D34F99Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF638CE1094Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateThreadEx: Direct from: 0x7FF7D6DF4267Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7D6DFA27EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtReadFile: Direct from: 0x14011D832Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQuerySystemInformation: Direct from: 0x7FF7D6E80C76Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationProcess: Direct from: 0x7FF638D62733Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationProcess: Direct from: 0x7FF7D6E91386Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF638D09CC5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FFDB43E26A1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryValueKey: Direct from: 0x7FF638D0CE0CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF638CEBF24Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtProtectVirtualMemory: Direct from: 0x7FF638E5DD26Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateFile: Direct from: 0x14011D7A4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateFile: Direct from: 0x7FF638E4EB76Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQuerySystemInformation: Direct from: 0x7FF7D6F02733Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF638C5D233Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7D6DFBB54Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtReadFile: Direct from: 0x7FF7D6E8BF81Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x7FF638CF1682
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x140120A3CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateThreadEx: Direct from: 0x7FF7D6DF40C8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtSetInformationProcess: Direct from: 0x7FF7D6E90DF7Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe protection: read writeJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe protection: read writeJump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 14011BC08Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 3C3010Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 14011BC08Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 2F1010Jump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeProcess created: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe "C:\Windows\TEMP\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe" -burn.clean.room="C:\Users\user\Desktop\nkCBRtd25H.exe" -burn.filehandle.attached=640 -burn.filehandle.self=636Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0044DA1F InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,0_2_0044DA1F
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0044B493 AllocateAndInitializeSid,CheckTokenMembership,0_2_0044B493
Source: RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd
Source: RescueCDBurner.exe, 00000003.00000002.2272667208.000000006C97E000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: lChangeWindowMessageFilterChangeWindowMessageFilterExTaskbarCreatedToolbarWindow32SysPagerTrayNotifyWndShell_TrayWndShell_NotifyIconGetRect
Source: RescueCDBurner.exe, 00000004.00000002.2334915831.000000006BAEE000.00000002.00000001.01000000.00000013.sdmpBinary or memory string: kChangeWindowMessageFilterChangeWindowMessageFilterExTaskbarCreatedToolbarWindow32SysPagerTrayNotifyWndShell_TrayWndShell_NotifyIconGetRect
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_00437255 cpuid 0_2_00437255
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_6E5B4C5D
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,2_2_6E5B4C99
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,2_2_6E5B4B36
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_6E5B4BF6
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,2_2_6E5B4863
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,2_2_6E5B4965
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,2_2_6E5B490A
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_6E5B476E
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,2_2_6E5AC51C
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,2_2_6E5B428A
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,2_2_6E5B3F9C
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: GetLocaleInfoA,2_2_6E5AB4F8
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,2_2_6E5A94E4
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: GetLocaleInfoW,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,2_2_6E5B54B9
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,2_2_6E5B5593
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_6E5B3340
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,3_2_6C22750C
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,3_2_6C22767A
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,3_2_6C227270
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,3_2_6C2252E4
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,3_2_6C29F2EF
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,3_2_6C29F356
Source: C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exeCode function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,3_2_6C2273B4
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0040BB84 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,CloseHandle,LocalFree,0_2_0040BB84
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0044A805 EnterCriticalSection,GetCurrentProcessId,GetCurrentThreadId,GetLocalTime,LeaveCriticalSection,0_2_0044A805
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_003F9360 GetUserNameW,GetLastError,0_2_003F9360
Source: C:\Users\user\Desktop\nkCBRtd25H.exeCode function: 0_2_0045BA41 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,0_2_0045BA41
Source: C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exeCode function: 2_2_6E5928F4 __EH_prolog3_GS,_memset,GetVersionExW,GetVersionExW,GetVersionExW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,2_2_6E5928F4
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Native API		11
DLL Side-Loading		1
Abuse Elevation Control Mechanism		1
Deobfuscate/Decode Files or Information		OS Credential Dumping12
System Time Discovery		Remote Services11
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
Windows Service		11
DLL Side-Loading		1
Abuse Elevation Control Mechanism		LSASS Memory1
Account Discovery		Remote Desktop ProtocolData from Removable Media2
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)1
Access Token Manipulation		4
Obfuscated Files or Information		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Windows Service		1
Software Packing		NTDS145
System Information Discovery		Distributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script213
Process Injection		11
DLL Side-Loading		LSA Secrets221
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Masquerading		DCSync11
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
Virtualization/Sandbox Evasion		Proc Filesystem1
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Access Token Manipulation		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron213
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587586 Sample: nkCBRtd25H.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 84 67 bamarelakij.site 2->67 75 Multi AV Scanner detection for submitted file 2->75 77 Machine Learning detection for dropped file 2->77 79 AI detected suspicious sample 2->79 11 nkCBRtd25H.exe 8 2->11         started        14 RescueCDBurner.exe 1 2->14         started        signatures3 process4 file5 65 C:\Windows\Temp\...\nkCBRtd25H.exe, PE32 11->65 dropped 17 nkCBRtd25H.exe 21 11->17         started        95 Maps a DLL or memory area into another process 14->95 97 Found direct / indirect Syscall (likely to bypass EDR) 14->97 21 cmd.exe 2 14->21         started        signatures6 process7 file8 43 C:\Windows\Temp\...\StarBurn.dll, PE32 17->43 dropped 45 C:\Windows\Temp\...\RescueCDBurner.exe, PE32 17->45 dropped 47 C:\Windows\Temp\...\QtXml4.dll, PE32 17->47 dropped 51 6 other files (4 malicious) 17->51 dropped 69 Multi AV Scanner detection for dropped file 17->69 23 RescueCDBurner.exe 11 17->23         started        49 C:\Users\user\AppData\...\qnotbcquwqoirf, PE32+ 21->49 dropped 71 Writes to foreign memory regions 21->71 73 Maps a DLL or memory area into another process 21->73 27 LocalCtrl_alpha_v3.exe 21->27         started        29 conhost.exe 21->29         started        signatures9 process10 file11 57 C:\Users\user\AppData\...\StarBurn.dll, PE32 23->57 dropped 59 C:\Users\user\AppData\...\RescueCDBurner.exe, PE32 23->59 dropped 61 C:\Users\user\AppData\Roaming\...\QtXml4.dll, PE32 23->61 dropped 63 5 other files (3 malicious) 23->63 dropped 91 Switches to a custom stack to bypass stack traces 23->91 93 Found direct / indirect Syscall (likely to bypass EDR) 23->93 31 RescueCDBurner.exe 1 23->31         started        signatures12 process13 signatures14 99 Maps a DLL or memory area into another process 31->99 101 Switches to a custom stack to bypass stack traces 31->101 103 Found direct / indirect Syscall (likely to bypass EDR) 31->103 34 cmd.exe 5 31->34         started        process15 file16 53 C:\Users\user\AppData\...\qkjwvkpsnwrihb, PE32+ 34->53 dropped 55 C:\Users\user\...\LocalCtrl_alpha_v3.exe, PE32+ 34->55 dropped 81 Writes to foreign memory regions 34->81 83 Found hidden mapped module (file has been removed from disk) 34->83 85 Maps a DLL or memory area into another process 34->85 87 Switches to a custom stack to bypass stack traces 34->87 38 LocalCtrl_alpha_v3.exe 34->38         started        41 conhost.exe 34->41         started        signatures17 process18 signatures19 89 Found direct / indirect Syscall (likely to bypass EDR) 38->89

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
nkCBRtd25H.exe51%VirustotalBrowse
nkCBRtd25H.exe29%ReversingLabsWin32.Trojan.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\qnotbcquwqoirf100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\qkjwvkpsnwrihb100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtCore4.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtGui4.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtNetwork4.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtXml4.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe3%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\StarBurn.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\msvcp100.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\msvcr100.dll0%ReversingLabs
C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe29%ReversingLabsWin32.Trojan.Generic
C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\Ascidian.dll0%ReversingLabs
C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtCore4.dll0%ReversingLabs
C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtGui4.dll0%ReversingLabs
C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtNetwork4.dll0%ReversingLabs
C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtXml4.dll0%ReversingLabs
C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe3%ReversingLabs
C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\StarBurn.dll0%ReversingLabs
C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\msvcp100.dll0%ReversingLabs
C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\msvcr100.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://wixtoolset.org/schemas/v4/BundleExtensionData0%Avira URL Cloudsafe
http://wixtoolset.org/schemas/v4/2008/BurnHd0%Avira URL Cloudsafe
https://bamarelakij.site:44320%Avira URL Cloudsafe
http://wixtoolset.org/schemas/v4/BootstrapperApplicationData0%Avira URL Cloudsafe
http://wixtoolset.org/schemas/v4/2008/Burn0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.fb-t-msedge.net
13.107.253.45
truefalse
    		high
    bamarelakij.site
    		unknown
    		unknownfalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_xRescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
        		high
        http://www.vmware.com/0RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItaliaRescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
            		high
            http://support.reneelab.com/anonymous_requests/newRescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
              		high
              http://www.reneelab.fr/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                		high
                https://downloads.reneelab.com.cn/download_api.phpRescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                  		high
                  http://www.reneelab.it/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                    		high
                    http://xml.org/sax/features/namespace-prefixesRescueCDBurner.exe, 00000003.00000003.2255428203.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2273561508.000000006E7D9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000004.00000002.2332755111.000000006B419000.00000002.00000001.01000000.00000014.sdmp, RescueCDBurner.exe, 0000000C.00000002.2606228422.000000006FC99000.00000002.00000001.01000000.00000014.sdmpfalse
                      		high
                      http://wixtoolset.org/schemas/v4/2008/BurnHdnkCBRtd25H.exe, 00000002.00000002.2543258127.0000000005390000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://wixtoolset.org/schemas/v4/BootstrapperApplicationDatankCBRtd25H.exe, 00000002.00000003.2239504312.0000000003080000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000002.00000003.2239558042.0000000003080000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.reneelab.biz/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                        		high
                        https://downloads.reneelab.com/download_api.phpRescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                          		high
                          http://bug.reneelab.comRescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                            		high
                            http://www.reneelab.cc/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                              		high
                              http://qt.digia.com/RescueCDBurner.exe, 00000004.00000002.2334915831.000000006BAEE000.00000002.00000001.01000000.00000013.sdmpfalse
                                		high
                                http://www.reneelab.ru/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                  		high
                                  http://www.reneelab.de/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                    		high
                                    http://wixtoolset.org/schemas/v4/2008/BurnnkCBRtd25H.exe, 00000000.00000003.2544522030.000000000308B000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2544172711.0000000005945000.00000004.00000800.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2217003693.0000000003040000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2216913687.0000000003049000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2544333693.00000000051F0000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2544820065.000000000308B000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2217034011.000000000308B000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2216913687.000000000308B000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000000.00000003.2217034011.0000000003040000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000002.00000002.2543258127.0000000005390000.00000004.00000800.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000002.00000002.2541874593.0000000003058000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000002.00000002.2542530050.0000000004B60000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://b.chenall.net/menu.lstRescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                      		high
                                      http://isecure-a.reneelab.com/webapi.php?code=RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                        		high
                                        http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0DRescueCDBurner.exe, 00000003.00000002.2271930031.000000006C379000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.2333562061.000000006B4E9000.00000002.00000001.01000000.00000012.sdmpfalse
                                          		high
                                          http://www.softwareok.deRescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://grub4dos.chenall.net/e/%u)RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                              		high
                                              https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?acRescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                		high
                                                http://www.reneelab.es/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                  		high
                                                  http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                    		high
                                                    http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipboRescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                      		high
                                                      https://www.reneelab.comRescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                        		high
                                                        http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstoreRescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                          		high
                                                          http://bugreports.qt-project.org/RescueCDBurner.exe, 00000003.00000002.2271930031.000000006C379000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.2333562061.000000006B4E9000.00000002.00000001.01000000.00000012.sdmpfalse
                                                            		high
                                                            http://www.reneelab.com.cn/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                              		high
                                                              http://www.reneelab.pl/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                		high
                                                                http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespaRescueCDBurner.exe, 00000003.00000003.2255428203.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2273561508.000000006E7D9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000004.00000002.2332755111.000000006B419000.00000002.00000001.01000000.00000014.sdmp, RescueCDBurner.exe, 0000000C.00000002.2606228422.000000006FC99000.00000002.00000001.01000000.00000014.sdmpfalse
                                                                  		high
                                                                  http://www.phreedom.org/md5)RescueCDBurner.exe, 00000003.00000002.2271930031.000000006C379000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.2333562061.000000006B4E9000.00000002.00000001.01000000.00000012.sdmpfalse
                                                                    		high
                                                                    http://wixtoolset.org/schemas/v4/BundleExtensionDatankCBRtd25H.exe, 00000002.00000003.2239504312.0000000003080000.00000004.00000020.00020000.00000000.sdmp, nkCBRtd25H.exe, 00000002.00000003.2239558042.0000000003080000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://bamarelakij.site:4432LocalCtrl_alpha_v3.exe, 00000010.00000003.3294802619.00000000004E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                      		high
                                                                      https://www.reneelab.comwww.reneelab.comhttp://https://0RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                        		high
                                                                        http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003UserRescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                          		high
                                                                          http://www.reneelab.kr/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                            		high
                                                                            http://www.reneelab.jp/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                              		high
                                                                              http://xml.org/sax/features/namespacesRescueCDBurner.exe, 00000003.00000003.2255428203.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2273561508.000000006E7D9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000004.00000002.2332755111.000000006B419000.00000002.00000001.01000000.00000014.sdmp, RescueCDBurner.exe, 0000000C.00000002.2606228422.000000006FC99000.00000002.00000001.01000000.00000014.sdmpfalse
                                                                                		high
                                                                                http://isecure.reneelab.com.cn/webapi.php?code=RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                  		high
                                                                                  http://www.winimage.com/zLibDll1.2.6RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                    		high
                                                                                    http://www.vmware.com/0/RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://downloads.reneelab.com/passnow/passnow_RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                        		high
                                                                                        http://www.reneelab.net/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                          		high
                                                                                          http://www.???.xx/?search=%sRescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://qt.digia.com/product/licensingRescueCDBurner.exe, 00000004.00000002.2334915831.000000006BAEE000.00000002.00000001.01000000.00000013.sdmpfalse
                                                                                              		high
                                                                                              http://trolltech.com/xml/features/report-start-end-entityUnknownRescueCDBurner.exe, 00000003.00000003.2255428203.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2273561508.000000006E7D9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000004.00000002.2332755111.000000006B419000.00000002.00000001.01000000.00000014.sdmp, RescueCDBurner.exe, 0000000C.00000002.2606228422.000000006FC99000.00000002.00000001.01000000.00000014.sdmpfalse
                                                                                                		high
                                                                                                http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/nRescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.symauth.com/cps0(RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstRescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.reneelab.it/reimpostare-passwordi-di-windows-login.htmlRescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                                        		high
                                                                                                        http://isecure.reneelab.com.cn/webapi.php?code=http://isecure-a.reneelab.com/webapi.php?code=http://RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.symauth.com/rpa00RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.info-zip.org/RescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A3B000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009D6A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.0000000005202000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://trolltech.com/xml/features/report-start-end-entityRescueCDBurner.exe, 00000003.00000003.2255428203.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2273561508.000000006E7D9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000004.00000002.2332755111.000000006B419000.00000002.00000001.01000000.00000014.sdmp, RescueCDBurner.exe, 0000000C.00000002.2606228422.000000006FC99000.00000002.00000001.01000000.00000014.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.winimage.com/zLibDllRescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.reneelab.com/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://isecure.reneelab.com/webapi.php?code=RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.2255719638.000000000A7FC000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()RescueCDBurner.exe, 00000003.00000002.2271930031.000000006C379000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.2333562061.000000006B4E9000.00000002.00000001.01000000.00000012.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://trolltech.com/xml/features/report-whitespace-only-CharDataRescueCDBurner.exe, 00000003.00000003.2255428203.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.2273561508.000000006E7D9000.00000002.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000004.00000002.2332755111.000000006B419000.00000002.00000001.01000000.00000014.sdmp, RescueCDBurner.exe, 0000000C.00000002.2606228422.000000006FC99000.00000002.00000001.01000000.00000014.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.surfok.de/RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://downloads.reneelab.com.cn/passnow/passnow_RescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://www.reneelab.biz/redefinir-senha-de-admin-logon-windows.htmlhttp://support.reneelab.com/anonyRescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://www.softwareok.comRescueCDBurner.exe, 00000003.00000002.2270853054.0000000009A91000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.2330124058.0000000009DC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2599701516.000000000524B000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 0000000C.00000002.2593512324.0000000009F70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://appsyndication.org/2006/appsynnkCBRtd25H.exefalse
                                                                                                                                      		high
                                                                                                                                      http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurchaRescueCDBurner.exe, 00000003.00000002.2264581498.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000001.2241140942.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.2240196783.00000000003B4000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000002.2325360700.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000000.2263236020.0000000000F44000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 0000000C.00000000.2527746230.0000000000F44000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                                                                        		high

                                                                                                                                        World Map of Contacted IPs

                                                                                                                                        No contacted IP infos

                                                                                                                                        General Information

                                                                                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                                                                                        Analysis ID:1587586
                                                                                                                                        Start date and time:2025-01-10 15:24:29 +01:00
                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                        Overall analysis duration:0h 10m 28s
                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                        Report type:full
                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                        Run name:Run with higher sleep bypass
                                                                                                                                        Number of analysed new started processes analysed:17
                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                        Technologies:
                                                                                                                                        • HCA enabled
                                                                                                                                        • EGA enabled
                                                                                                                                        • AMSI enabled
                                                                                                                                        Analysis Mode:default
                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                        Sample name:nkCBRtd25H.exe
                                                                                                                                        renamed because original name is a hash value
                                                                                                                                        Original Sample Name:2c6652f7e01283de091b5200b7878e69.exe
                                                                                                                                        Detection:MAL
                                                                                                                                        Classification:mal84.evad.winEXE@18/32@13/0
                                                                                                                                        EGA Information:
                                                                                                                                        • Successful, ratio: 66.7%
                                                                                                                                        HCA Information:
                                                                                                                                        • Successful, ratio: 95%
                                                                                                                                        • Number of executed functions: 90
                                                                                                                                        • Number of non-executed functions: 274
                                                                                                                                        Cookbook Comments:
                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                                        Warnings

                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                        • Excluded IPs from analysis (whitelisted): 13.107.253.45, 20.12.23.50
                                                                                                                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, azurefd-t-fb-prod.trafficmanager.net, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                        • Execution Graph export aborted for target RescueCDBurner.exe, PID 2544 because there are no executed function
                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                        Simulations

                                                                                                                                        Behavior and APIs

                                                                                                                                        TimeTypeDescription
                                                                                                                                        15:25:52AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\helpmonitorv3.lnk

                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                        IPs

                                                                                                                                        No context

                                                                                                                                        Domains

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        s-part-0017.t-0009.fb-t-msedge.nethttps://www.filemail.com/d/rxythqchkhluipl?skipreg=trueGet hashmaliciousUnknownBrowse
                                                                                                                                        • 13.107.253.45
                                                                                                                                        https://eu.jotform.com/app/250092704521347Get hashmaliciousUnknownBrowse
                                                                                                                                        • 13.107.253.45
                                                                                                                                        http://loginmicrosoftonline.Bdo.scoremasters.gr/cache/cdn?email=christian.wernli@bdo.chGet hashmaliciousUnknownBrowse
                                                                                                                                        • 13.107.253.45
                                                                                                                                        fghj.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        • 13.107.253.45
                                                                                                                                        https://p3rsa.appdocumentcenter.com/BpdLOGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                        • 13.107.253.45
                                                                                                                                        dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                        • 13.107.253.45
                                                                                                                                        Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                        • 13.107.253.45
                                                                                                                                        Notification of a Compromised Email Account.msgGet hashmaliciousUnknownBrowse
                                                                                                                                        • 13.107.253.45
                                                                                                                                        https://combatironapparel.com/collections/ranger-panty-shortsGet hashmaliciousUnknownBrowse
                                                                                                                                        • 13.107.253.45
                                                                                                                                        https://meliopayments.cloudfilesbureau.com/j319CGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                        • 13.107.253.45

                                                                                                                                        ASNs

                                                                                                                                        No context

                                                                                                                                        JA3 Fingerprints

                                                                                                                                        No context

                                                                                                                                        Dropped Files

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe24EPV9vjc5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          kXzODlqJak.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            VmjvNTbD5J.exeGet hashmaliciousUnknownBrowse
                                                                                                                                              1wrLmYiC62.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                8Rmoal0v85.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  K3UtwU3CH9.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                    24EPV9vjc5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      VmjvNTbD5J.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        1wrLmYiC62.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                          Created / dropped Files

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\30d1a3dd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):5622661
                                                                                                                                                          Entropy (8bit):7.726751811233327
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:SqJN4uZklyAOH0P3ezfh32PID9TB+OFUz8oMSMVbnXKgwDGnW:SYZkPOSahmPIDx8MVb6gwqnW
                                                                                                                                                          MD5:46CD5D87D1C069AD8F2A635C82093161
                                                                                                                                                          SHA1:4C1490CC43A00F3DFD125812D2AAB4E26BBA682F
                                                                                                                                                          SHA-256:CF0093A9010DC62358CD91F159B4339B2C5990B1906691EF6A05AC98C4F0E0DD
                                                                                                                                                          SHA-512:C5CE94A19A7CCC266731D23F9D3AAF01D367E39DC48043040667B3A3724A566D841AAEFB82CBBDE53D8502CE649062524893D29CD1D86C5E2767BF625C3BA25E
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:{..ly..lx..lx..ly..l\..ll..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..l]..<<..-]..........0/......0+..........<.......0+......lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..l;...........=.lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..l;.......1.......x..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..l].."<..I$........."=..*........x..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..l...\V..[J..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..l

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\408342cb

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):5622661
                                                                                                                                                          Entropy (8bit):7.726751627571468
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:UqJN4uZklyAOH0P3ezfh32PID9TB+OFUz8oMSMVbnXKgwDGnW:UYZkPOSahmPIDx8MVb6gwqnW
                                                                                                                                                          MD5:F6EAA781175F805AC4E83C32B05D91A5
                                                                                                                                                          SHA1:57CB09CBAA1B033D3CA84F090F83AA3294F5D01F
                                                                                                                                                          SHA-256:C3928F949218637F991234DA170F000E302CCC1AD431F812849F0782F9B57F1D
                                                                                                                                                          SHA-512:69B2E2451B625585E2DF9BEBC9655DB7C0753BDBFE8C26D449759022C4323A999C248F62705B9A20206187EE97C6C72BC59B6BBA946D0628BC316DEEEA00A5EC
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:{..ly..lx..lx..ly..l\..ll..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..l]..<<..-]..........0/......0+..........<.......0+......lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..l;...........=.lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..l;.......1.......x..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..l].."<..I$........."=..*........x..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..l...\V..[J..lx..lx..lx..lx..lx..lx..lx..lx..lx..lx..l

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):2364728
                                                                                                                                                          Entropy (8bit):6.606009669324617
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
                                                                                                                                                          MD5:967F4470627F823F4D7981E511C9824F
                                                                                                                                                          SHA1:416501B096DF80DDC49F4144C3832CF2CADB9CB2
                                                                                                                                                          SHA-256:B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
                                                                                                                                                          SHA-512:8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                          • Filename: 24EPV9vjc5.exe, Detection: malicious, Browse
                                                                                                                                                          • Filename: kXzODlqJak.exe, Detection: malicious, Browse
                                                                                                                                                          • Filename: VmjvNTbD5J.exe, Detection: malicious, Browse
                                                                                                                                                          • Filename: 1wrLmYiC62.exe, Detection: malicious, Browse
                                                                                                                                                          • Filename: 8Rmoal0v85.exe, Detection: malicious, Browse
                                                                                                                                                          • Filename: K3UtwU3CH9.msi, Detection: malicious, Browse
                                                                                                                                                          • Filename: 24EPV9vjc5.exe, Detection: malicious, Browse
                                                                                                                                                          • Filename: VmjvNTbD5J.exe, Detection: malicious, Browse
                                                                                                                                                          • Filename: 1wrLmYiC62.exe, Detection: malicious, Browse
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Rubrician_20250110092530.cleanroom.log

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\Desktop\nkCBRtd25H.exe
                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):742
                                                                                                                                                          Entropy (8bit):5.3217434355063835
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12:zhmGS3uXNULLWUzP2RyGgGASRcP2EmRKu2RZGASRcP2EWKu2WGASRcP2rRKuaHFA:NmZYNwLLzPDxscP2NyscP2JjscP2RaHm
                                                                                                                                                          MD5:0BD0F56FC54F6F00939FDC169ACD04A4
                                                                                                                                                          SHA1:4AD368D0D44DF1E542B8ED0714442B66C237FDCD
                                                                                                                                                          SHA-256:F7C2D04B0A2BDECD7888E0F9268EC24FF20110FDAFBCB39EDEF09923D28EF36D
                                                                                                                                                          SHA-512:9A42D7FBC361863F9F7EEEB3C3C8D07DEF2DDEDA767634C84D034555E55A9FB99CB1222BB616F7D6862C59A41005D903C54B84D767A81D6CA02E35DA36767766
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:[1BD0:0C24][2025-01-10T09:25:30]i001: Burn x86 v4.0.0+8c757c0f67f26f21c6bcbbfb81b7ea8b91c35fe4, Windows v10.0 x64 (Build 19045: Service Pack 0), path: C:\Users\user\Desktop\nkCBRtd25H.exe..[1BD0:0C24][2025-01-10T09:25:30]i009: Command Line: ''..[1BD0:0C24][2025-01-10T09:25:30]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\nkCBRtd25H.exe'..[1BD0:0C24][2025-01-10T09:25:30]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\Desktop\'..[1BD0:0C24][2025-01-10T09:25:30]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\Rubrician_20250110092530.cleanroom.log'..[1BD0:0C24][2025-01-10T09:26:02]i017: Exit code: 0x0..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Rubrician_20250110092532.log

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe
                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1128
                                                                                                                                                          Entropy (8bit):5.4135704042926855
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24:iZYNwLLzrziEIWscP2NEscP2J9acP2RaH0acP2IacP2xacP2/1:iCNur2KjtjYFbUF3FoFS1
                                                                                                                                                          MD5:E0535BC9055D8A8FD21CB6BFD376198D
                                                                                                                                                          SHA1:1AA47B34F0F3A23FE7E1538981C57AAC8D0EE276
                                                                                                                                                          SHA-256:E254063B5A69C8E1B4F3824FA13B6E9EC38F1E6422549F0E6585C234630B4849
                                                                                                                                                          SHA-512:8263323804BAA1803C149D570198745F3DDF0B234380A421AD3E6E18E1987355AD90C7532166A3EC0EC9C787092979FDA5512F52B4ABED8F4F891B1D358B2A06
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:[1B28:07B8][2025-01-10T09:25:30]i001: Burn x86 v4.0.0+8c757c0f67f26f21c6bcbbfb81b7ea8b91c35fe4, Windows v10.0 x64 (Build 19045: Service Pack 0), path: C:\Windows\TEMP\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe..[1B28:07B8][2025-01-10T09:25:30]i009: Command Line: '-burn.clean.room=C:\Users\user\Desktop\nkCBRtd25H.exe -burn.filehandle.attached=640 -burn.filehandle.self=636'..[1B28:07B8][2025-01-10T09:25:30]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\nkCBRtd25H.exe'..[1B28:07B8][2025-01-10T09:25:30]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\Desktop\'..[1B28:07B8][2025-01-10T09:25:32]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\Rubrician_20250110092532.log'..[1B28:07B8][2025-01-10T09:25:32]i000: Setting string variable 'WixBundleInProgressName' to value ''..[1B28:07B8][2025-01-10T09:25:32]i000: Setting string variable 'WixBundleNam

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\qkjwvkpsnwrihb

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):2526208
                                                                                                                                                          Entropy (8bit):6.697179434185451
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:49152:qMKUORaA3LORJ81Ba8+bCo4volrEPbyI0iQXAtQJXT0HcCIFZxXQNw07f7E5GGsP:u90jwASKZpgN
                                                                                                                                                          MD5:E1EF99935026E1F84F065C75819BF8E8
                                                                                                                                                          SHA1:1AE0CD73731E784F733D30AC2043FC0E85914EC1
                                                                                                                                                          SHA-256:1634B7E132C988B7142F2DB5B0F20059DEEDCDF9F8EC16222C495D9047F3E52C
                                                                                                                                                          SHA-512:5AB53D5E9C74581E7FBCF5E7291D3FB7C8844C119FD12DAC2D25C94A534ED3048C2FBB4B6B4B167B98FEDCE9B9A1B2B2D80E3E279EEA5A792FFD865FEDE616AA
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...H..W.................. ..p&.....W..........@..............................0.......&...`... ..............................................P0.......0.8.....%..t............0............................. .%.(...................hQ0..............................text..... ....... .................`..`.data......... ....... .............@....rdata........!.......!.............@..@.pdata...t....%..v....%.............@..@.xdata...W...@&..X....&.............@..@.bss..........&..........................idata.......P0......b&.............@....CRT....0....`0......h&.............@....tls.........p0......j&.............@....rsrc...8.....0......l&.............@..@.reloc........0......n&.............@..Bsfdel.... ....0......t&.............@...................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\qnotbcquwqoirf

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):2526208
                                                                                                                                                          Entropy (8bit):6.697179434185451
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:49152:qMKUORaA3LORJ81Ba8+bCo4volrEPbyI0iQXAtQJXT0HcCIFZxXQNw07f7E5GGsP:u90jwASKZpgN
                                                                                                                                                          MD5:E1EF99935026E1F84F065C75819BF8E8
                                                                                                                                                          SHA1:1AE0CD73731E784F733D30AC2043FC0E85914EC1
                                                                                                                                                          SHA-256:1634B7E132C988B7142F2DB5B0F20059DEEDCDF9F8EC16222C495D9047F3E52C
                                                                                                                                                          SHA-512:5AB53D5E9C74581E7FBCF5E7291D3FB7C8844C119FD12DAC2D25C94A534ED3048C2FBB4B6B4B167B98FEDCE9B9A1B2B2D80E3E279EEA5A792FFD865FEDE616AA
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...H..W.................. ..p&.....W..........@..............................0.......&...`... ..............................................P0.......0.8.....%..t............0............................. .%.(...................hQ0..............................text..... ....... .................`..`.data......... ....... .............@....rdata........!.......!.............@..@.pdata...t....%..v....%.............@..@.xdata...W...@&..X....&.............@..@.bss..........&..........................idata.......P0......b&.............@....CRT....0....`0......h&.............@....tls.........p0......j&.............@....rsrc...8.....0......l&.............@..@.reloc........0......n&.............@..Bsfdel.... ....0......t&.............@...................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\uhaaeyhthwk

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Jan 10 13:25:33 2025, mtime=Fri Jan 10 13:25:34 2025, atime=Fri Jan 3 18:13:10 2025, length=6487736, window=hide
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):984
                                                                                                                                                          Entropy (8bit):4.9689547654458694
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12:8G74Ci4ypnu8ChF+lXIsY//0OPLYmVSOt29mbyOwD/cjEjA2G+HwWrRaUsJhhuwr:8ibSDY+lXUlhIm+Z4QA2G4FcXitegm
                                                                                                                                                          MD5:EBA887EA8701BE09BC006364C8A8091F
                                                                                                                                                          SHA1:CF50DECCD8A67382CCFFE0D9B08459C6240DF19B
                                                                                                                                                          SHA-256:EA66F7E39FD55C1CC3E792F8BD98B802EEC5E511331879316092A33AA699EF91
                                                                                                                                                          SHA-512:A96C495D494BFCF0050FF91FE8498700900E1B5087E62D433525A41EFC86F34DA4C512773E3D53CAAD9290589CEA80684630C14D3311DC5B15BC067E1B0D5C32
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:L..................F.... ...\...kc.....kc.......^....b.......................:..DG..Yr?.D..U..k0.&...&.......$..S......zkc....A.kc......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2*Z.s...........................^.A.p.p.D.a.t.a...B.V.1.....*Z1s..Roaming.@......EW<2*Z2s..../.....................,._.R.o.a.m.i.n.g.....t.1.....*Z2s..REMOTE~1..\......*Z1s*Z2s....f.........................R.e.m.o.t.e.s.e.r.v.i.c.e.z.o.o._.t.e.s.t.....r.2...b.#Z.. .RESCUE~1.EXE..V......*Z1s*Z1s....t.........................R.e.s.c.u.e.C.D.B.u.r.n.e.r...e.x.e.......y...............-.......x............{aS.....C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe..6.....\.....\.R.o.a.m.i.n.g.\.R.e.m.o.t.e.s.e.r.v.i.c.e.z.o.o._.t.e.s.t.\.R.e.s.c.u.e.C.D.B.u.r.n.e.r...e.x.e.`.......X.......138727...........hT..CrF.f4... .....Jc...-...-$..hT..CrF.f4... .....Jc...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                          C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtCore4.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):2598912
                                                                                                                                                          Entropy (8bit):6.6049974235008655
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:49152:VTFgiFpGXOENKSgjGkJsv6tWKFdu9C6TELyvL/6mShMZtmjNUVrciV5P+7QVg07/:V+iDaWjxJsv6tWKFdu9CZgfQ
                                                                                                                                                          MD5:FECC62A37D37D9759E6B02041728AA23
                                                                                                                                                          SHA1:0C5F646CAEF7A6E9073D58ED698F6CFBFB2883A3
                                                                                                                                                          SHA-256:94C1395153D7758900979351E633AB68D22AE9B306EF8E253B712A1AAB54C805
                                                                                                                                                          SHA-512:698F90F1248DACBD4BDC49045A4E80972783D9DCEC120D187ABD08F5EF03224B511F7870320938B7E8BE049C243FFB1C450C847429434EF2E2C09288CB9286A6
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............,..,..,J.,,..,.<*,..,.<(,..,..7,..,..',..,..,..,.<.,...,.<.,...,.</,..,.<.,..,.<),..,Rich..,........................PE..L...T..Q...........!................B..............g..............U...........'......;(...@...........................!.<x..<.!.......&.......................&....................................... .@...............(............................text.............................. ..`.rdata..<...........................@..@.data....2...p&..*...Z&.............@....rsrc.........&.......&.............@..@.reloc........&.......&.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtGui4.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):8581632
                                                                                                                                                          Entropy (8bit):6.736578346160889
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:YxRJATZlLne1/cF6ZWHxD1HFH+J+70msIWeiLtRgi3d4PJpTcSqxyr:YxiZBG2xpljTcJy
                                                                                                                                                          MD5:831BA3A8C9D9916BDF82E07A3E8338CC
                                                                                                                                                          SHA1:6C89FD258937427D14D5042736FDFCCD0049F042
                                                                                                                                                          SHA-256:D2C8C8B6CC783E4C00A5EF3365457D776DFC1205A346B676915E39D434F5A52D
                                                                                                                                                          SHA-512:BEDA57851E0E3781ECE1D0EE53A3F86C52BA99CB045943227B6C8FC1848A452269F2768BF4C661E27DDFBE436DF82CFD1DE54706D814F81797A13FEFEC4602C5
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t......p.....u...oq.|...}...q...oq.r...}..c...t.~.....oq.i...oq.....oq.u...oq.u...oq.u...Richt...........PE..L......Q...........!......Y...).....2.S.......Y....e..............U..........P............@...........................m..c...Ul.,.....{.......................{..O..................................x'e.@.............Y..............................text...K.Y.......Y................. ..`.rdata....!...Y...!...Y.............@..@.data...t.....z.......z.............@....rsrc.........{......r{.............@..@.reloc...y....{..z...x{.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtNetwork4.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1053696
                                                                                                                                                          Entropy (8bit):6.539052666912709
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:m+PpRNPe4+DZFvnwJ9o+Hllp59K03AskvvukLosiLHrv7F0YmIYunuGS:m+hRCZhwY+Hllp59OHvfo7HrCYmItnC
                                                                                                                                                          MD5:8A2E025FD3DDD56C8E4F63416E46E2EC
                                                                                                                                                          SHA1:5F58FEB11E84AA41D5548F5A30FC758221E9DD64
                                                                                                                                                          SHA-256:52AE07D1D6A467283055A3512D655B6A43A42767024E57279784701206D97003
                                                                                                                                                          SHA-512:8E3A449163E775DC000E9674BCA81FFABC7FECD9278DA5A40659620CFC9CC07F50CC29341E74176FE10717B2A12EA3D5148D1FFC906BC809B1CD5C8C59DE7BA1
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....u...u...u......u..>....u..>....u..>....u...t.".u.......u..>.._.u..>....u..>....u..>....u.Rich..u.........PE..L......Q...........!.....x...........J.............d..............U..........`......I.....@.........................P.......43..d............................ ..........................................@............................................text....v.......x.................. ..`.rdata..H>.......@...|..............@..@.data...8=..........................@....rsrc...............................@..@.reloc...9... ...:..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtXml4.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):356352
                                                                                                                                                          Entropy (8bit):6.447802510709224
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:6gdDO1NTI8ew+Rh9CY8gjvXQ0AObEL9gqIL:6gda1FI8V+f9FFzA1IL
                                                                                                                                                          MD5:E9A9411D6F4C71095C996A406C56129D
                                                                                                                                                          SHA1:80B6EEFC488A1BF983919B440A83D3C02F0319DD
                                                                                                                                                          SHA-256:C9B2A31BFE75D1B25EFCC44E1DF773AB62D6D5C85EC5D0BC2DFE64129F8EAB5E
                                                                                                                                                          SHA-512:93BB3DD16DE56E8BED5AC8DA125681391C4E22F4941C538819AD4849913041F2E9BB807EB5570EE13DA167CFECD7A08D16AD133C244EB6D25F596073626CE8A2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GN.f./.5./.5./.5.W>5./.5.a55./.5..35./.5...5./.5..15./.5./.5...5...5./.5..65./.5..75./.5..05./.5Rich./.5........PE..L...Y..Q...........!.....v..........Z..............a..............U..................k....@..........................w..\...LL..d....0.......................@..hR..................................p...@...............p............................text....t.......v.................. ..`.rdata..............z..............@..@.data........ ......................@....rsrc........0......................@..@.reloc..la...@...b..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe
                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):6487736
                                                                                                                                                          Entropy (8bit):7.518089126573906
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:u4bRxuHuFP2rHLpHPA477yNRgoPbfnRROWR721LYfs17u0kcFrXLEJfwY:u4NxuOFI1AEyrbf/52BYfs1LkcFrXL+X
                                                                                                                                                          MD5:11C8962675B6D535C018A63BE0821E4C
                                                                                                                                                          SHA1:A150FA871E10919A1D626FFE37B1A400142F452B
                                                                                                                                                          SHA-256:421E36788BFCB4433178C657D49AA711446B3A783F7697A4D7D402A503C1F273
                                                                                                                                                          SHA-512:3973C23FC652E82F2415FF81F2756B55E46C6807CC4A8C37E5E31009CEC45AB47C5D4228C03B5E3A972CACD6547CF0D3273965F263B1B2D608AF89F5BE6E459A
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2/m.vN..vN..vN......wN..m..pN..m..zN...6..wN..m..cN...6..aN..vN...J..m..xN..m..$N..m..wN..m..wN..RichvN..................PE..L......e.................(....Z......Y.......@....@..........................0c.......c...@..................................b_.h.....`.8.............b.. ....b.X...PT..............................x.^.@............@..l............................text...r&.......(.................. ..`.rdata....W..@....W..,..............@..@.data...xM...0`.."....`.............@....rsrc...8.....`......<`.............@..@.reloc........b.......a.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Roaming\Remoteservicezoo_test\StarBurn.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):664064
                                                                                                                                                          Entropy (8bit):6.953961612144461
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:c/gzbnbASodCXNn5FJX5KLN9VmoBBDFyn/:kRSoSn5FJX5K59VmoDK
                                                                                                                                                          MD5:A147F46E2E1F315AA219482D645BEED9
                                                                                                                                                          SHA1:073A6AE153A903B31463FA33512AA93DA1E3BB6F
                                                                                                                                                          SHA-256:2EB33D31364355ACBA660487F3747A9899DBDEB2221C58EB2BF916E53267DBC4
                                                                                                                                                          SHA-512:690DD6A959C6043EFE48ECB840C6353B2CE5F95372933A7201959C5A2075657EE2B02921685EAF23AE0EC228ABD86AA24F7CB11A9F089EB49D20F6AB6C46E3B8
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.3 ".]s".]s".]s.R s#.]s.R0s#.]s..s .]s..s+.]s".\s..]s+..s9.]s+..s..]s+..sq.]s+..s#.]s+..s#.]s+..s#.]sRich".]s........................PE..L.....NK...........!.....R...................p.......................................J....@..........................*..C6......d................................B..@................................K..@...........X................................text...SP.......R.................. ..`.data...l|...p...T...V..............@....idata..............................@....rsrc...............................@..@.reloc...d.......d..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Roaming\Remoteservicezoo_test\hypochondriac.xlsx

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60283
                                                                                                                                                          Entropy (8bit):4.569551839311306
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:JLFhcTCRX7325Q72JnHi/KPHVzwrU60mYuBYdoQ:hIC173hknmqBrRmzB9Q
                                                                                                                                                          MD5:3620E2D48EB60EC875FB9262ABC87D2B
                                                                                                                                                          SHA1:55C7CE6E00901BE5090D7D1ACFF47D30436FA5EF
                                                                                                                                                          SHA-256:E8E6F472277E0F3EE5B6640B0EC436029AF329E37F0C84978399DEB38768BEB1
                                                                                                                                                          SHA-512:CBE8C6BE90FD75EE9D0A912E832ED784C4273B495EE1246B97601A6FA24FA4CE6FB07BE97508DA4FA249F05C96D5A86DA1805099C06EDD1CA81E726954025DD9
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.M.kZ.u_aUO......KUF...ABb..F..u.]F.rV..f..t..qm.Z_C....a._rAHlPTAnm.XL...Bp\h.BD.nd..p.x..W.k..T]w.nn.l.xQ.NE.B.b.dF...K.V]j..Yr.A.t..O_mrdES_Ww.Wg.P.....vq.I.BT..f.Jm.xxf.....V.kU..HiyRuFEC`.....y...`cgmo.....Pk....UbG..GQ..N.o...wA^.A..K.J.Iv...xvp].Sh...Gh.F...OmAZdJ...c.....ftg...Bc....lKWOSh..[..j...h...Ra..If...oA.r.itG....x_m...K.........HV.mW.S..X.soGI[F.AavnVBbsd.W.hE..b^...kE.B.D.[.E......lsxC..rJUb.Ts.P....M.`[p...w.F...Mv...sJ.h.Gpc...PF.^.V^J..Q.j.JI.....r..aI.K.OSl..eU\vo.v...K.x..aR.h...h..R.N.sQ...Y.....K.B....VdiHm...s........_......w.^RY`.o`H.WT.sJ.is...]..^A]Z....k.KJ..s...p.F...l..........f.wq\g....MRl..a..o....cZ].`.D.w._g.g.X.b...WdC.GLeCj[.y...HR..mG.V.k...v..YA.KPhvtC..v.gpnBw..m....]..V.f...`..W..T.QnMk.sZ.We...u.^.h^....A.C....W.ww..H...y.m..Py..jV.rOgkpnaCm.....jZL..Xo...hS......Ao..e\^y]...PS.EMf.^k.Uu.TmO..\\WsQ.T..u.w.qAq`x\..m.S]Z.......po...^H\nphxx.y..Z.X.Zs........oO.r.m..vh.W.k....mBMw.JJ.hc...p].[........n..nI...R...MU.F.v.w......s..[C...LU...C..y.J

                                                                                                                                                          C:\Users\user\AppData\Roaming\Remoteservicezoo_test\msvcp100.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):421200
                                                                                                                                                          Entropy (8bit):6.59808962341698
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
                                                                                                                                                          MD5:03E9314004F504A14A61C3D364B62F66
                                                                                                                                                          SHA1:0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
                                                                                                                                                          SHA-256:A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
                                                                                                                                                          SHA-512:2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
                                                                                                                                                          Malicious:false
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Roaming\Remoteservicezoo_test\msvcr100.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):770384
                                                                                                                                                          Entropy (8bit):6.908020029901359
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
                                                                                                                                                          MD5:67EC459E42D3081DD8FD34356F7CAFC1
                                                                                                                                                          SHA1:1738050616169D5B17B5ADAC3FF0370B8C642734
                                                                                                                                                          SHA-256:1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
                                                                                                                                                          SHA-512:9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
                                                                                                                                                          Malicious:false
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Roaming\Remoteservicezoo_test\wiggery.bmp

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):4485813
                                                                                                                                                          Entropy (8bit):7.960501110953352
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:zvf5BQTYhbOg6IdJogvR31mRCbJ2O4qm08UhFdFtZ7C5Bd6wKWgSKNKk8R:zvhy2cW31mRCbEqf8UhFiBdQ+kO
                                                                                                                                                          MD5:B56FE6EA5F9CAFB0C73A95A3377C8CA1
                                                                                                                                                          SHA1:252F48E39D28A5554152F32F23A406E4E9E752DD
                                                                                                                                                          SHA-256:04C5B808B740AC5F17B12956AD0D1B2C21EA1D6A6011275AC2A0D08B454EDB6A
                                                                                                                                                          SHA-512:1A094CD5029F1D2BD0E804EC7F1911CF25CE319BEF3EB03BC57DF09A5BCF5957C813F9F7FF57B936F0596E0E00F3B447E2E2C3B5BAE9F3AD99BEB63C441DC0D7
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.b...C.y.y.m..L......\^..n.N.HQ..n.Eh.....l..q.JY.kE....peI.k.c..mE..c.Lr\p...ZTW.X.qo.s.x..HHb.f.aq..s.\E^^mYoR_Cb...].xBM.xR.[.kpg.MGx_.x.Xkx..._...jilM.[.CAm....tV...wtM...ywlI..yU.S.WQHig..w.].Sx_QX]...LLL_sC.P.y.pj.TgH.C..dOC.RqnoF....Qv.....b.m..M.]X.L.hvbeZ..f.ma....tNrr.Cbe..S..Yvnjbh...C..mqWsjglcP.W.Mu.TIq..fYcf.K..WbMIp...IRn[.G..Y..V.._..]..L].U...L]O..L.uHt`.._VBuVd.hK.DhxRlwPY[...xo....F^SLA.....[gXWLVF.......wX.w.b...nlUr.E.D...UN.f..JM.f.T.CF.....yO.RmS]..d.^e...O..b.^\K^.......kc[U...yfym...Vc..a.oUd.rD.kDWFLcL.UIZM.cfQK.e^..hvr.oxq.FI..QNP...LQT..q...h..i_.hA.mu.d......HKg.UK...tL...x...q^...h.._.q.LT.g.t]do.BM.S.HKj[..q..R.[O^.E.IV.v..hfA.mh..^N..h.......Th..shY...xLOtm\Jl.\fZ..g.b.b.`....A.ao.f..^.y...of...B..y....R..W.P..nYuE..F.X...Wv.V..\^.rR.^..X....]gxml.ukp.Vc.f.F..A...K....Pix.IObhW_^C...^.....A.y..QUH.vg.W\o..hZ......MM....gK..L..m...E..T.O.i....pNt.Y..J...tD.n_...]JEfbw.p...f.^^.I..Y..L..QJb.M.i.H..........q..u..W^...Kv.T.y..fCeqB.l......bDm...._xd.].p.l..U

                                                                                                                                                          C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\Desktop\nkCBRtd25H.exe
                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):14302064
                                                                                                                                                          Entropy (8bit):7.991632876953663
                                                                                                                                                          Encrypted:true
                                                                                                                                                          SSDEEP:393216:naTis2twlNkiqrp/dKXKdt08/dEy0z+Zm1X8SN3y0rJEMlw:naTutwjk93KXHaZ06Zm1MSN3jw
                                                                                                                                                          MD5:2C6652F7E01283DE091B5200B7878E69
                                                                                                                                                          SHA1:C7503315A496A65C28E4BE9FB397FFB830C54F8F
                                                                                                                                                          SHA-256:C1E1F6EB7AC42447F53711EAE48AF5B53FB6D75C9CE43CF7E4EDC413CCFB36F4
                                                                                                                                                          SHA-512:896B0BBD6E8F9E64472589A92C52537FC0140D9E05856A8E2578734E6C0D3D5D57562A63598FCB6E5A20CEA153C74884505D25E2971061DDA45C82F30C3B23AF
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Gc..............Hz......Hz.....L~......L~......L~..(...k..W...Hz......Hz......Hz..........^....~.......~,.......D......~......Rich............................PE..L....p-d..............."............Pj............@.......................................@.................................H............N...................P..h_..`...T...............................@....................... ....................text...9........................... ..`.rdata..L...........................@..@.data...............................@....didat..............................@....wixburn0...........................@..@.rsrc....N.......P..................@..@.reloc..h_...P...`..................@..B........................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\Ascidian.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):474056
                                                                                                                                                          Entropy (8bit):6.5454050911466695
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:ljzSlYxJd1mGgLzDxlzLIQNO1fc2G0LqR6tA15/5K+su:BzMz/VNUch0LqR6850lu
                                                                                                                                                          MD5:494C74C13C1E2E81E77240CC64F09206
                                                                                                                                                          SHA1:19C172D3B470F199EA50F7E71104CF30C538F351
                                                                                                                                                          SHA-256:DD8FA081CA5F7238C755C9D6E42F5A8ACA6F90B10412D4092EDA1DE6F76D8FF7
                                                                                                                                                          SHA-512:D76FA86BA474935809A057082E0C41C3CC7008477D0D8A035C4E77245BEBD9051B329BC07FD44FEC0FCF18B0C0779D60A497B36818C4A9815D7942DF8BE71672
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............P..P..P...P..P.F"P..P.F.PC.P.?P..P..P2.P./P..P.F.P..P.F'P..P.F&P..P.F!P..PRich..P........................PE..L......`...........!................k.............DZ.........................`.......q....@..........................-..................,E...............)......(P...................................w..@............................................text............................... ..`.rdata........... ..................@..@.data....a...0...>..................@....rsrc...,E.......F...\..............@..@.reloc...n.......p..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\BootstrapperApplicationData.xml

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe
                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (450), with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):2384
                                                                                                                                                          Entropy (8bit):3.7598071625620997
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:48:y+03N6hOOvpEkwcne1LaJVc0wkycmeRPwJvgkWHmi1qrBZi1Hymrcl:Rwcn6Lwc0wkyc/Puvgk/WqrBZWSmrq
                                                                                                                                                          MD5:31320EA56CB0843809C37D1C6F0D6AF1
                                                                                                                                                          SHA1:53176DCF526AFADC71815A2A8404AFEC35C5452C
                                                                                                                                                          SHA-256:470FF6E6A66EDCA04C8E9525B22B2B8E8F94C7CDB814EA2CCDB037E276B2F6D8
                                                                                                                                                          SHA-512:75C0C4F7CC2A5E1424CFE3970F0DEC1394E21EC316D247ED0B78DAC8E03FABE46E290692B70C7707F85AA63F6F2DD75C0302237D8A5677E2A753AA60465D38E2
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.w.i.x.t.o.o.l.s.e.t...o.r.g./.s.c.h.e.m.a.s./.v.4./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".R.u.b.r.i.c.i.a.n.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".n.o.". .I.d.=.".{.7.3.F.A.9.7.B.8.-.5.F.C.7.-.4.3.D.A.-.9.8.3.E.-.7.E.C.4.0.2.A.0.4.6.D.6.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.0.8.6.0.9.1.1.9.-.8.A.3.0.-.4.1.2.6.-.9.3.3.A.-.7.6.D.5.0.C.9.A.E.8.3.7.}.". .P.e.r.M.a.c.h.i.n.e.=.".y.e.s.". ./.>..... . .<.W.i.x.R.o.l.l.b.a.c.k.B.o.u.n.d.a.r.y. .I.d.=.".W.i.x.D.e.f.a.u.l.t.B.o.u.n.d.a.r.y.". .V.i.t.a.l.=.".y.e.s.". .T.r.a.n.s.a.c.t.i.o.n.=.".n.o.". ./.>..... . .<.W.i.x.P.a.c.k.a.g.e.P.r.o.p.e.r.t.i.e.s. .P.a.c.k.a.g.e.=.".P.a.x.w.a.x.". .V.i.t.a.l.=.".y.e.s.". .D.i.s.p.l.a.y.N.a.m.e.=.".

                                                                                                                                                          C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\BundleExtensionData.xml

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe
                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):252
                                                                                                                                                          Entropy (8bit):3.50802487441866
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6:QFulcLk0YR5Ie8GcUlLulFwENeWlYmH1fMWGVUlLulFwEnk:QF/LXYRWe8OLqF3Ye1kWGaLqFhk
                                                                                                                                                          MD5:A35990570AFAA7D023FD2EBBE229AFB8
                                                                                                                                                          SHA1:86688B13D3364ADB90BBA552F544D4D546AFD63D
                                                                                                                                                          SHA-256:9B696AD0EC3B37BAC11DA76BCD51AD907D31EE9638DAD7BB8FDD5AEF919EF621
                                                                                                                                                          SHA-512:1845B25697FED6D694428F53B2D1B2ABF1ACF8A09E8E49A536759822AD5B1A75D51BC7AE4D73E435B7BBC23AC34C9AED76F17414D218B54DA546C908F9A5182C
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.u.n.d.l.e.E.x.t.e.n.s.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.w.i.x.t.o.o.l.s.e.t...o.r.g./.s.c.h.e.m.a.s./.v.4./.B.u.n.d.l.e.E.x.t.e.n.s.i.o.n.D.a.t.a.". ./.>.

                                                                                                                                                          C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtCore4.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):2598912
                                                                                                                                                          Entropy (8bit):6.6049974235008655
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:49152:VTFgiFpGXOENKSgjGkJsv6tWKFdu9C6TELyvL/6mShMZtmjNUVrciV5P+7QVg07/:V+iDaWjxJsv6tWKFdu9CZgfQ
                                                                                                                                                          MD5:FECC62A37D37D9759E6B02041728AA23
                                                                                                                                                          SHA1:0C5F646CAEF7A6E9073D58ED698F6CFBFB2883A3
                                                                                                                                                          SHA-256:94C1395153D7758900979351E633AB68D22AE9B306EF8E253B712A1AAB54C805
                                                                                                                                                          SHA-512:698F90F1248DACBD4BDC49045A4E80972783D9DCEC120D187ABD08F5EF03224B511F7870320938B7E8BE049C243FFB1C450C847429434EF2E2C09288CB9286A6
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............,..,..,J.,,..,.<*,..,.<(,..,..7,..,..',..,..,..,.<.,...,.<.,...,.</,..,.<.,..,.<),..,Rich..,........................PE..L...T..Q...........!................B..............g..............U...........'......;(...@...........................!.<x..<.!.......&.......................&....................................... .@...............(............................text.............................. ..`.rdata..<...........................@..@.data....2...p&..*...Z&.............@....rsrc.........&.......&.............@..@.reloc........&.......&.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtGui4.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):8581632
                                                                                                                                                          Entropy (8bit):6.736578346160889
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:YxRJATZlLne1/cF6ZWHxD1HFH+J+70msIWeiLtRgi3d4PJpTcSqxyr:YxiZBG2xpljTcJy
                                                                                                                                                          MD5:831BA3A8C9D9916BDF82E07A3E8338CC
                                                                                                                                                          SHA1:6C89FD258937427D14D5042736FDFCCD0049F042
                                                                                                                                                          SHA-256:D2C8C8B6CC783E4C00A5EF3365457D776DFC1205A346B676915E39D434F5A52D
                                                                                                                                                          SHA-512:BEDA57851E0E3781ECE1D0EE53A3F86C52BA99CB045943227B6C8FC1848A452269F2768BF4C661E27DDFBE436DF82CFD1DE54706D814F81797A13FEFEC4602C5
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t......p.....u...oq.|...}...q...oq.r...}..c...t.~.....oq.i...oq.....oq.u...oq.u...oq.u...Richt...........PE..L......Q...........!......Y...).....2.S.......Y....e..............U..........P............@...........................m..c...Ul.,.....{.......................{..O..................................x'e.@.............Y..............................text...K.Y.......Y................. ..`.rdata....!...Y...!...Y.............@..@.data...t.....z.......z.............@....rsrc.........{......r{.............@..@.reloc...y....{..z...x{.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtNetwork4.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1053696
                                                                                                                                                          Entropy (8bit):6.539052666912709
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:m+PpRNPe4+DZFvnwJ9o+Hllp59K03AskvvukLosiLHrv7F0YmIYunuGS:m+hRCZhwY+Hllp59OHvfo7HrCYmItnC
                                                                                                                                                          MD5:8A2E025FD3DDD56C8E4F63416E46E2EC
                                                                                                                                                          SHA1:5F58FEB11E84AA41D5548F5A30FC758221E9DD64
                                                                                                                                                          SHA-256:52AE07D1D6A467283055A3512D655B6A43A42767024E57279784701206D97003
                                                                                                                                                          SHA-512:8E3A449163E775DC000E9674BCA81FFABC7FECD9278DA5A40659620CFC9CC07F50CC29341E74176FE10717B2A12EA3D5148D1FFC906BC809B1CD5C8C59DE7BA1
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....u...u...u......u..>....u..>....u..>....u...t.".u.......u..>.._.u..>....u..>....u..>....u.Rich..u.........PE..L......Q...........!.....x...........J.............d..............U..........`......I.....@.........................P.......43..d............................ ..........................................@............................................text....v.......x.................. ..`.rdata..H>.......@...|..............@..@.data...8=..........................@....rsrc...............................@..@.reloc...9... ...:..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\QtXml4.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):356352
                                                                                                                                                          Entropy (8bit):6.447802510709224
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:6gdDO1NTI8ew+Rh9CY8gjvXQ0AObEL9gqIL:6gda1FI8V+f9FFzA1IL
                                                                                                                                                          MD5:E9A9411D6F4C71095C996A406C56129D
                                                                                                                                                          SHA1:80B6EEFC488A1BF983919B440A83D3C02F0319DD
                                                                                                                                                          SHA-256:C9B2A31BFE75D1B25EFCC44E1DF773AB62D6D5C85EC5D0BC2DFE64129F8EAB5E
                                                                                                                                                          SHA-512:93BB3DD16DE56E8BED5AC8DA125681391C4E22F4941C538819AD4849913041F2E9BB807EB5570EE13DA167CFECD7A08D16AD133C244EB6D25F596073626CE8A2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GN.f./.5./.5./.5.W>5./.5.a55./.5..35./.5...5./.5..15./.5./.5...5...5./.5..65./.5..75./.5..05./.5Rich./.5........PE..L...Y..Q...........!.....v..........Z..............a..............U..................k....@..........................w..\...LL..d....0.......................@..hR..................................p...@...............p............................text....t.......v.................. ..`.rdata..............z..............@..@.data........ ......................@....rsrc........0......................@..@.reloc..la...@...b..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe
                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):6487736
                                                                                                                                                          Entropy (8bit):7.518089126573906
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:u4bRxuHuFP2rHLpHPA477yNRgoPbfnRROWR721LYfs17u0kcFrXLEJfwY:u4NxuOFI1AEyrbf/52BYfs1LkcFrXL+X
                                                                                                                                                          MD5:11C8962675B6D535C018A63BE0821E4C
                                                                                                                                                          SHA1:A150FA871E10919A1D626FFE37B1A400142F452B
                                                                                                                                                          SHA-256:421E36788BFCB4433178C657D49AA711446B3A783F7697A4D7D402A503C1F273
                                                                                                                                                          SHA-512:3973C23FC652E82F2415FF81F2756B55E46C6807CC4A8C37E5E31009CEC45AB47C5D4228C03B5E3A972CACD6547CF0D3273965F263B1B2D608AF89F5BE6E459A
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2/m.vN..vN..vN......wN..m..pN..m..zN...6..wN..m..cN...6..aN..vN...J..m..xN..m..$N..m..wN..m..wN..RichvN..................PE..L......e.................(....Z......Y.......@....@..........................0c.......c...@..................................b_.h.....`.8.............b.. ....b.X...PT..............................x.^.@............@..l............................text...r&.......(.................. ..`.rdata....W..@....W..,..............@..@.data...xM...0`.."....`.............@....rsrc...8.....`......<`.............@..@.reloc........b.......a.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\StarBurn.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):664064
                                                                                                                                                          Entropy (8bit):6.953961612144461
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:c/gzbnbASodCXNn5FJX5KLN9VmoBBDFyn/:kRSoSn5FJX5K59VmoDK
                                                                                                                                                          MD5:A147F46E2E1F315AA219482D645BEED9
                                                                                                                                                          SHA1:073A6AE153A903B31463FA33512AA93DA1E3BB6F
                                                                                                                                                          SHA-256:2EB33D31364355ACBA660487F3747A9899DBDEB2221C58EB2BF916E53267DBC4
                                                                                                                                                          SHA-512:690DD6A959C6043EFE48ECB840C6353B2CE5F95372933A7201959C5A2075657EE2B02921685EAF23AE0EC228ABD86AA24F7CB11A9F089EB49D20F6AB6C46E3B8
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.3 ".]s".]s".]s.R s#.]s.R0s#.]s..s .]s..s+.]s".\s..]s+..s9.]s+..s..]s+..sq.]s+..s#.]s+..s#.]s+..s#.]sRich".]s........................PE..L.....NK...........!.....R...................p.......................................J....@..........................*..C6......d................................B..@................................K..@...........X................................text...SP.......R.................. ..`.data...l|...p...T...V..............@....idata..............................@....rsrc...............................@..@.reloc...d.......d..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\hypochondriac.xlsx

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60283
                                                                                                                                                          Entropy (8bit):4.569551839311306
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:JLFhcTCRX7325Q72JnHi/KPHVzwrU60mYuBYdoQ:hIC173hknmqBrRmzB9Q
                                                                                                                                                          MD5:3620E2D48EB60EC875FB9262ABC87D2B
                                                                                                                                                          SHA1:55C7CE6E00901BE5090D7D1ACFF47D30436FA5EF
                                                                                                                                                          SHA-256:E8E6F472277E0F3EE5B6640B0EC436029AF329E37F0C84978399DEB38768BEB1
                                                                                                                                                          SHA-512:CBE8C6BE90FD75EE9D0A912E832ED784C4273B495EE1246B97601A6FA24FA4CE6FB07BE97508DA4FA249F05C96D5A86DA1805099C06EDD1CA81E726954025DD9
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.M.kZ.u_aUO......KUF...ABb..F..u.]F.rV..f..t..qm.Z_C....a._rAHlPTAnm.XL...Bp\h.BD.nd..p.x..W.k..T]w.nn.l.xQ.NE.B.b.dF...K.V]j..Yr.A.t..O_mrdES_Ww.Wg.P.....vq.I.BT..f.Jm.xxf.....V.kU..HiyRuFEC`.....y...`cgmo.....Pk....UbG..GQ..N.o...wA^.A..K.J.Iv...xvp].Sh...Gh.F...OmAZdJ...c.....ftg...Bc....lKWOSh..[..j...h...Ra..If...oA.r.itG....x_m...K.........HV.mW.S..X.soGI[F.AavnVBbsd.W.hE..b^...kE.B.D.[.E......lsxC..rJUb.Ts.P....M.`[p...w.F...Mv...sJ.h.Gpc...PF.^.V^J..Q.j.JI.....r..aI.K.OSl..eU\vo.v...K.x..aR.h...h..R.N.sQ...Y.....K.B....VdiHm...s........_......w.^RY`.o`H.WT.sJ.is...]..^A]Z....k.KJ..s...p.F...l..........f.wq\g....MRl..a..o....cZ].`.D.w._g.g.X.b...WdC.GLeCj[.y...HR..mG.V.k...v..YA.KPhvtC..v.gpnBw..m....]..V.f...`..W..T.QnMk.sZ.We...u.^.h^....A.C....W.ww..H...y.m..Py..jV.rOgkpnaCm.....jZL..Xo...hS......Ao..e\^y]...PS.EMf.^k.Uu.TmO..\\WsQ.T..u.w.qAq`x\..m.S]Z.......po...^H\nphxx.y..Z.X.Zs........oO.r.m..vh.W.k....mBMw.JJ.hc...p].[........n..nI...R...MU.F.v.w......s..[C...LU...C..y.J

                                                                                                                                                          C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\msvcp100.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):421200
                                                                                                                                                          Entropy (8bit):6.59808962341698
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
                                                                                                                                                          MD5:03E9314004F504A14A61C3D364B62F66
                                                                                                                                                          SHA1:0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
                                                                                                                                                          SHA-256:A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
                                                                                                                                                          SHA-512:2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
                                                                                                                                                          Malicious:false
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\msvcr100.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):770384
                                                                                                                                                          Entropy (8bit):6.908020029901359
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
                                                                                                                                                          MD5:67EC459E42D3081DD8FD34356F7CAFC1
                                                                                                                                                          SHA1:1738050616169D5B17B5ADAC3FF0370B8C642734
                                                                                                                                                          SHA-256:1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
                                                                                                                                                          SHA-512:9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
                                                                                                                                                          Malicious:false
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\wiggery.bmp

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):4485813
                                                                                                                                                          Entropy (8bit):7.960501110953352
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:zvf5BQTYhbOg6IdJogvR31mRCbJ2O4qm08UhFdFtZ7C5Bd6wKWgSKNKk8R:zvhy2cW31mRCbEqf8UhFiBdQ+kO
                                                                                                                                                          MD5:B56FE6EA5F9CAFB0C73A95A3377C8CA1
                                                                                                                                                          SHA1:252F48E39D28A5554152F32F23A406E4E9E752DD
                                                                                                                                                          SHA-256:04C5B808B740AC5F17B12956AD0D1B2C21EA1D6A6011275AC2A0D08B454EDB6A
                                                                                                                                                          SHA-512:1A094CD5029F1D2BD0E804EC7F1911CF25CE319BEF3EB03BC57DF09A5BCF5957C813F9F7FF57B936F0596E0E00F3B447E2E2C3B5BAE9F3AD99BEB63C441DC0D7
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.b...C.y.y.m..L......\^..n.N.HQ..n.Eh.....l..q.JY.kE....peI.k.c..mE..c.Lr\p...ZTW.X.qo.s.x..HHb.f.aq..s.\E^^mYoR_Cb...].xBM.xR.[.kpg.MGx_.x.Xkx..._...jilM.[.CAm....tV...wtM...ywlI..yU.S.WQHig..w.].Sx_QX]...LLL_sC.P.y.pj.TgH.C..dOC.RqnoF....Qv.....b.m..M.]X.L.hvbeZ..f.ma....tNrr.Cbe..S..Yvnjbh...C..mqWsjglcP.W.Mu.TIq..fYcf.K..WbMIp...IRn[.G..Y..V.._..]..L].U...L]O..L.uHt`.._VBuVd.hK.DhxRlwPY[...xo....F^SLA.....[gXWLVF.......wX.w.b...nlUr.E.D...UN.f..JM.f.T.CF.....yO.RmS]..d.^e...O..b.^\K^.......kc[U...yfym...Vc..a.oUd.rD.kDWFLcL.UIZM.cfQK.e^..hvr.oxq.FI..QNP...LQT..q...h..i_.hA.mu.d......HKg.UK...tL...x...q^...h.._.q.LT.g.t]do.BM.S.HKj[..q..R.[O^.E.IV.v..hfA.mh..^N..h.......Th..shY...xLOtm\Jl.\fZ..g.b.b.`....A.ao.f..^.y...of...B..y....R..W.P..nYuE..F.X...Wv.V..\^.rR.^..X....]gxml.ukp.Vc.f.F..A...K....Pix.IObhW_^C...^.....A.y..QUH.vg.W\o..hZ......MM....gK..L..m...E..T.O.i....pNt.Y..J...tD.n_...]JEfbw.p...f.^^.I..Y..L..QJb.M.i.H..........q..u..W^...Kv.T.y..fCeqB.l......bDm...._xd.].p.l..U

                                                                                                                                                          Static File Info

                                                                                                                                                          General

                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Entropy (8bit):7.991632876953663
                                                                                                                                                          TrID:
                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                          File name:nkCBRtd25H.exe
                                                                                                                                                          File size:14'302'064 bytes
                                                                                                                                                          MD5:2c6652f7e01283de091b5200b7878e69
                                                                                                                                                          SHA1:c7503315a496a65c28e4be9fb397ffb830c54f8f
                                                                                                                                                          SHA256:c1e1f6eb7ac42447f53711eae48af5b53fb6d75c9ce43cf7e4edc413ccfb36f4
                                                                                                                                                          SHA512:896b0bbd6e8f9e64472589a92c52537fc0140d9e05856a8e2578734e6c0d3d5d57562a63598fcb6e5a20cea153c74884505d25e2971061dda45c82f30c3b23af
                                                                                                                                                          SSDEEP:393216:naTis2twlNkiqrp/dKXKdt08/dEy0z+Zm1X8SN3y0rJEMlw:naTutwjk93KXHaZ06Zm1MSN3jw
                                                                                                                                                          TLSH:EBE63331A1A2303FE6F52DB3B96496343D6CB2181B1486FEC6D0E84D38689D56EF7346
                                                                                                                                                          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Gc..............Hz......Hz......L~......L~......L~..(....k..W...Hz......Hz......Hz..........^....~.......~,.......D......~.....

                                                                                                                                                          File Icon

                                                                                                                                                          Icon Hash:2d2e3797b32b2b99

                                                                                                                                                          Static PE Info

                                                                                                                                                          General

                                                                                                                                                          Entrypoint:0x446a50
                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                          Digitally signed:false
                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                          Time Stamp:0x642D70FB [Wed Apr 5 13:00:43 2023 UTC]
                                                                                                                                                          TLS Callbacks:
                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                          OS Version Major:6
                                                                                                                                                          OS Version Minor:0
                                                                                                                                                          File Version Major:6
                                                                                                                                                          File Version Minor:0
                                                                                                                                                          Subsystem Version Major:6
                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                          Import Hash:657e40fb09b2c5e277b865a7cf2b8089

                                                                                                                                                          Entrypoint Preview

                                                                                                                                                          Instruction
                                                                                                                                                          call 00007FBD38688F98h
                                                                                                                                                          jmp 00007FBD3868898Dh
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          retn 0000h
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          mov eax, dword ptr [esp+08h]
                                                                                                                                                          mov ecx, dword ptr [esp+10h]
                                                                                                                                                          or ecx, eax
                                                                                                                                                          mov ecx, dword ptr [esp+0Ch]
                                                                                                                                                          jne 00007FBD38688B1Bh
                                                                                                                                                          mov eax, dword ptr [esp+04h]
                                                                                                                                                          mul ecx
                                                                                                                                                          retn 0010h
                                                                                                                                                          push ebx
                                                                                                                                                          mul ecx
                                                                                                                                                          mov ebx, eax
                                                                                                                                                          mov eax, dword ptr [esp+08h]
                                                                                                                                                          mul dword ptr [esp+14h]
                                                                                                                                                          add ebx, eax
                                                                                                                                                          mov eax, dword ptr [esp+08h]
                                                                                                                                                          mul ecx
                                                                                                                                                          add edx, ebx
                                                                                                                                                          pop ebx
                                                                                                                                                          retn 0010h
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          int3
                                                                                                                                                          push ebx
                                                                                                                                                          push esi
                                                                                                                                                          mov eax, dword ptr [esp+18h]
                                                                                                                                                          or eax, eax
                                                                                                                                                          jne 00007FBD38688B2Ah
                                                                                                                                                          mov ecx, dword ptr [esp+14h]
                                                                                                                                                          mov eax, dword ptr [esp+10h]
                                                                                                                                                          xor edx, edx
                                                                                                                                                          div ecx
                                                                                                                                                          mov ebx, eax
                                                                                                                                                          mov eax, dword ptr [esp+0Ch]
                                                                                                                                                          div ecx
                                                                                                                                                          mov edx, ebx
                                                                                                                                                          jmp 00007FBD38688B53h
                                                                                                                                                          mov ecx, eax
                                                                                                                                                          mov ebx, dword ptr [esp+14h]
                                                                                                                                                          mov edx, dword ptr [esp+10h]
                                                                                                                                                          mov eax, dword ptr [esp+0Ch]
                                                                                                                                                          shr ecx, 1
                                                                                                                                                          rcr ebx, 1
                                                                                                                                                          shr edx, 1
                                                                                                                                                          rcr eax, 1
                                                                                                                                                          or ecx, ecx
                                                                                                                                                          jne 00007FBD38688B06h
                                                                                                                                                          div ebx
                                                                                                                                                          mov esi, eax
                                                                                                                                                          mul dword ptr [esp+18h]
                                                                                                                                                          mov ecx, eax
                                                                                                                                                          mov eax, dword ptr [esp+14h]
                                                                                                                                                          mul esi
                                                                                                                                                          add edx, ecx
                                                                                                                                                          jc 00007FBD38688B20h
                                                                                                                                                          cmp edx, dword ptr [esp+10h]
                                                                                                                                                          jnbe 00007FBD38688B1Ah
                                                                                                                                                          jc 00007FBD38688B19h
                                                                                                                                                          cmp eax, dword ptr [esp+0Ch]
                                                                                                                                                          jbe 00007FBD38688B13h
                                                                                                                                                          dec esi
                                                                                                                                                          xor edx, edx
                                                                                                                                                          mov eax, esi
                                                                                                                                                          pop esi
                                                                                                                                                          pop ebx
                                                                                                                                                          retn 0010h

                                                                                                                                                          Data Directories

                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x9a7480xb4.rdata
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x4efc.rsrc
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xa50000x5f68.reloc
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x995600x54.rdata
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x995c00x18.rdata
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x991e00x40.rdata
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x6e0000x3f8.rdata
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x9a2a40x120.rdata
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                          Sections

                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                          .text0x10000x6c1390x6c20092efecf5cfa9e863e69713e8451295ebFalse0.5022376264450867data6.489848341668886IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                          .rdata0x6e0000x2de4c0x2e000c796b8ce19f947fe45f2a6998482442bFalse0.27885636039402173data5.073579231118804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                          .data0x9c0000x17900xa000d375a46a1b65b20341c234446129bcfFalse0.18828125firmware 2005 v9319 (revision 0) \277E V2, 0 bytes or less, at 0 0 bytes , at 0 0 bytes 2.357689911760452IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                          .didat0x9e0000xcc0x20000535babd2373dd0ad324ceba5e2fc7bFalse0.263671875data1.7948113869126585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                          .wixburn0x9f0000x300x200ab5f7325b234bacb71b5d58f9a9ff40eFalse0.10546875data0.5556939563611969IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                          .rsrc0xa00000x4efc0x500066e987baf579d3084984000d74768671False0.3189453125data5.418748157498877IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                          .reloc0xa50000x5f680x6000bf2489eda548104ef6d2ce4e15cf676fFalse0.7933349609375data6.795414107251252IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                          Resources

                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                          RT_ICON0xa01c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.43185920577617326
                                                                                                                                                          RT_RCDATA0xa0a680x8dataEnglishUnited States1.75
                                                                                                                                                          RT_MESSAGETABLE0xa0a700x3d74dataEnglishUnited States0.282418001525553
                                                                                                                                                          RT_GROUP_ICON0xa47e40x14dataEnglishUnited States1.15
                                                                                                                                                          RT_VERSION0xa47f80x2c8dataEnglishUnited States0.4705056179775281
                                                                                                                                                          RT_MANIFEST0xa4ac00x43cXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1081), with no line terminatorsEnglishUnited States0.5027675276752768

                                                                                                                                                          Imports

                                                                                                                                                          DLLImport
                                                                                                                                                          KERNEL32.dllGetUserDefaultUILanguage, GetUserDefaultLangID, GetSystemDefaultLangID, GetStringTypeW, ReadFile, SetFilePointerEx, CreateProcessW, DuplicateHandle, FreeLibrary, ProcessIdToSessionId, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, OpenProcess, GetProcessId, SetProcessShutdownParameters, LocalFileTimeToFileTime, SetEndOfFile, SetFileTime, GetExitCodeThread, DosDateTimeToFileTime, CompareStringA, SetThreadExecutionState, ReleaseSemaphore, CreateMutexW, GetExitCodeProcess, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, GetStdHandle, ExitProcess, GetModuleHandleExW, VerifyVersionInfoW, GetFileType, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileSizeEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, DecodePointer, WriteConsoleW, GetComputerNameW, GetSystemTime, VerSetConditionMask, CompareStringW, GetNativeSystemInfo, CreateThread, GetCurrentProcess, CreateSemaphoreW, CreateEventW, ReleaseMutex, ResetEvent, SetEvent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, MoveFileExW, SetFileAttributesW, RemoveDirectoryW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, GetCurrentDirectoryW, ExpandEnvironmentStringsW, GetProcessHeap, HeapSize, HeapFree, GetDateFormatW, HeapReAlloc, HeapAlloc, GetModuleFileNameW, GetSystemWow64DirectoryW, GetSystemDirectoryW, GetLocalTime, Sleep, SetLastError, GetTempPathW, GetVolumePathNameW, GetTempFileNameW, GetFullPathNameW, CreateDirectoryW, LCMapStringW, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, FormatMessageW, LocalFree, LoadLibraryExW, GetProcAddress, GetModuleHandleW, WaitForMultipleObjects, WaitForSingleObject, HeapSetInformation, GetLastError, lstrlenA, GetCurrentProcessId, GetModuleHandleA, MulDiv, CompareStringOrdinal, GetSystemWindowsDirectoryW, GlobalAlloc, GlobalFree, CopyFileW, LoadResource, LockResource, SizeofResource, FindResourceExA, VirtualAlloc, VirtualFree, SystemTimeToTzSpecificLocalTime, SystemTimeToFileTime, GetTimeZoneInformation, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, WriteFile, SetFilePointer, CreateFileA, CloseHandle, CreateFileW
                                                                                                                                                          USER32.dllReleaseDC, MonitorFromPoint, MonitorFromWindow, GetDC, GetMonitorInfoW, ShowWindow, IsDialogMessageW, LoadCursorW, LoadBitmapW, SetWindowLongW, GetWindowLongW, GetCursorPos, MessageBoxW, SetWindowPos, CreateWindowExW, UnregisterClassW, RegisterClassW, PostQuitMessage, DefWindowProcW, DispatchMessageW, TranslateMessage, GetMessageW, WaitForInputIdle, IsWindow, PostMessageW
                                                                                                                                                          GDI32.dllSelectObject, StretchBlt, GetObjectW, DeleteObject, DeleteDC, GetDeviceCaps, CreateCompatibleDC, CreateDCW
                                                                                                                                                          ADVAPI32.dllCryptHashData, CryptDestroyHash, CryptReleaseContext, OpenProcessToken, AllocateAndInitializeSid, CheckTokenMembership, GetTokenInformation, AdjustTokenPrivileges, IsWellKnownSid, LookupPrivilegeValueW, CryptCreateHash, RegCreateKeyExW, RegDeleteKeyW, RegEnumKeyExW, RegEnumValueW, RegSetValueExW, CryptGetHashParam, QueryServiceStatus, OpenServiceW, OpenSCManagerW, ControlService, CloseServiceHandle, ChangeServiceConfigW, SetEntriesInAclW, DecryptFileW, InitializeAcl, CreateWellKnownSid, ConvertStringSecurityDescriptorToSecurityDescriptorW, ReportEventW, OpenEventLogW, CloseEventLog, RegQueryInfoKeyW, RegDeleteValueW, RegQueryValueExW, GetUserNameW, InitiateSystemShutdownExW, RegOpenKeyExW, RegCloseKey, QueryServiceConfigW, SetNamedSecurityInfoW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetEntriesInAclA, CryptAcquireContextW
                                                                                                                                                          ole32.dllCoInitializeEx, CoInitialize, CoInitializeSecurity, CoUninitialize, CLSIDFromProgID, CoTaskMemFree, StringFromGUID2, CoCreateInstance
                                                                                                                                                          OLEAUT32.dllVariantInit, SysAllocString, VariantClear, SysFreeString
                                                                                                                                                          RPCRT4.dllUuidCreate
                                                                                                                                                          SHELL32.dllSHGetFolderPathW, CommandLineToArgvW, ShellExecuteExW

                                                                                                                                                          Possible Origin

                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                          EnglishUnited States

                                                                                                                                                          Network Behavior

                                                                                                                                                          Network Port Distribution

                                                                                                                                                          UDP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Jan 10, 2025 15:26:42.506829977 CET5373253192.168.2.61.1.1.1
                                                                                                                                                          Jan 10, 2025 15:26:42.516356945 CET53537321.1.1.1192.168.2.6
                                                                                                                                                          Jan 10, 2025 15:26:49.492130995 CET6317253192.168.2.61.1.1.1
                                                                                                                                                          Jan 10, 2025 15:26:49.502023935 CET53631721.1.1.1192.168.2.6
                                                                                                                                                          Jan 10, 2025 15:26:56.488737106 CET6023353192.168.2.61.1.1.1
                                                                                                                                                          Jan 10, 2025 15:26:56.497951984 CET53602331.1.1.1192.168.2.6
                                                                                                                                                          Jan 10, 2025 15:27:03.472131014 CET6337753192.168.2.61.1.1.1
                                                                                                                                                          Jan 10, 2025 15:27:03.480253935 CET53633771.1.1.1192.168.2.6
                                                                                                                                                          Jan 10, 2025 15:27:10.448879957 CET5302653192.168.2.61.1.1.1
                                                                                                                                                          Jan 10, 2025 15:27:10.458112001 CET53530261.1.1.1192.168.2.6
                                                                                                                                                          Jan 10, 2025 15:27:17.645462990 CET5910653192.168.2.61.1.1.1
                                                                                                                                                          Jan 10, 2025 15:27:17.654309988 CET53591061.1.1.1192.168.2.6
                                                                                                                                                          Jan 10, 2025 15:27:24.688061953 CET5253053192.168.2.61.1.1.1
                                                                                                                                                          Jan 10, 2025 15:27:24.697566986 CET53525301.1.1.1192.168.2.6
                                                                                                                                                          Jan 10, 2025 15:27:31.672693968 CET6431153192.168.2.61.1.1.1
                                                                                                                                                          Jan 10, 2025 15:27:31.750998020 CET53643111.1.1.1192.168.2.6
                                                                                                                                                          Jan 10, 2025 15:27:38.723105907 CET5788353192.168.2.61.1.1.1
                                                                                                                                                          Jan 10, 2025 15:27:38.732527971 CET53578831.1.1.1192.168.2.6
                                                                                                                                                          Jan 10, 2025 15:27:45.737521887 CET6010353192.168.2.61.1.1.1
                                                                                                                                                          Jan 10, 2025 15:27:45.746804953 CET53601031.1.1.1192.168.2.6
                                                                                                                                                          Jan 10, 2025 15:27:53.208195925 CET4991153192.168.2.61.1.1.1
                                                                                                                                                          Jan 10, 2025 15:27:53.218030930 CET53499111.1.1.1192.168.2.6
                                                                                                                                                          Jan 10, 2025 15:28:00.200426102 CET5136953192.168.2.61.1.1.1
                                                                                                                                                          Jan 10, 2025 15:28:00.210608006 CET53513691.1.1.1192.168.2.6
                                                                                                                                                          Jan 10, 2025 15:28:07.208475113 CET5436553192.168.2.61.1.1.1
                                                                                                                                                          Jan 10, 2025 15:28:07.218281984 CET53543651.1.1.1192.168.2.6

                                                                                                                                                          DNS Queries

                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                          Jan 10, 2025 15:26:42.506829977 CET192.168.2.61.1.1.10x1bf6Standard query (0)bamarelakij.siteA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:26:49.492130995 CET192.168.2.61.1.1.10x8b9dStandard query (0)bamarelakij.siteA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:26:56.488737106 CET192.168.2.61.1.1.10xe3fbStandard query (0)bamarelakij.siteA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:03.472131014 CET192.168.2.61.1.1.10xd501Standard query (0)bamarelakij.siteA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:10.448879957 CET192.168.2.61.1.1.10xe5e9Standard query (0)bamarelakij.siteA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:17.645462990 CET192.168.2.61.1.1.10xbb01Standard query (0)bamarelakij.siteA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:24.688061953 CET192.168.2.61.1.1.10x403eStandard query (0)bamarelakij.siteA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:31.672693968 CET192.168.2.61.1.1.10x56b6Standard query (0)bamarelakij.siteA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:38.723105907 CET192.168.2.61.1.1.10xbbf5Standard query (0)bamarelakij.siteA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:45.737521887 CET192.168.2.61.1.1.10x6cabStandard query (0)bamarelakij.siteA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:53.208195925 CET192.168.2.61.1.1.10xdff1Standard query (0)bamarelakij.siteA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:28:00.200426102 CET192.168.2.61.1.1.10x1a5fStandard query (0)bamarelakij.siteA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:28:07.208475113 CET192.168.2.61.1.1.10x3dedStandard query (0)bamarelakij.siteA (IP address)IN (0x0001)false

                                                                                                                                                          DNS Answers

                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                          Jan 10, 2025 15:25:27.936445951 CET1.1.1.1192.168.2.60x57a4No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:25:27.936445951 CET1.1.1.1192.168.2.60x57a4No error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:25:27.936445951 CET1.1.1.1192.168.2.60x57a4No error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:26:42.516356945 CET1.1.1.1192.168.2.60x1bf6Name error (3)bamarelakij.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:26:49.502023935 CET1.1.1.1192.168.2.60x8b9dName error (3)bamarelakij.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:26:56.497951984 CET1.1.1.1192.168.2.60xe3fbName error (3)bamarelakij.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:03.480253935 CET1.1.1.1192.168.2.60xd501Name error (3)bamarelakij.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:10.458112001 CET1.1.1.1192.168.2.60xe5e9Name error (3)bamarelakij.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:17.654309988 CET1.1.1.1192.168.2.60xbb01Name error (3)bamarelakij.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:24.697566986 CET1.1.1.1192.168.2.60x403eName error (3)bamarelakij.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:31.750998020 CET1.1.1.1192.168.2.60x56b6Name error (3)bamarelakij.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:38.732527971 CET1.1.1.1192.168.2.60xbbf5Name error (3)bamarelakij.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:45.746804953 CET1.1.1.1192.168.2.60x6cabName error (3)bamarelakij.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:27:53.218030930 CET1.1.1.1192.168.2.60xdff1Name error (3)bamarelakij.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:28:00.210608006 CET1.1.1.1192.168.2.60x1a5fName error (3)bamarelakij.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          Jan 10, 2025 15:28:07.218281984 CET1.1.1.1192.168.2.60x3dedName error (3)bamarelakij.sitenonenoneA (IP address)IN (0x0001)false

                                                                                                                                                          Statistics

                                                                                                                                                          CPU Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          Memory Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                          Behavior

                                                                                                                                                          Click to jump to process

                                                                                                                                                          System Behavior

                                                                                                                                                          General

                                                                                                                                                          Target ID:0
                                                                                                                                                          Start time:09:25:29
                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                          Path:C:\Users\user\Desktop\nkCBRtd25H.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:"C:\Users\user\Desktop\nkCBRtd25H.exe"
                                                                                                                                                          Imagebase:0x3f0000
                                                                                                                                                          File size:14'302'064 bytes
                                                                                                                                                          MD5 hash:2C6652F7E01283DE091B5200B7878E69
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:2
                                                                                                                                                          Start time:09:25:30
                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                          Path:C:\Windows\Temp\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:"C:\Windows\TEMP\{B0B1A4D2-2A9F-4E5D-80CC-F8A2293396D1}\.cr\nkCBRtd25H.exe" -burn.clean.room="C:\Users\user\Desktop\nkCBRtd25H.exe" -burn.filehandle.attached=640 -burn.filehandle.self=636
                                                                                                                                                          Imagebase:0xe30000
                                                                                                                                                          File size:14'302'064 bytes
                                                                                                                                                          MD5 hash:2C6652F7E01283DE091B5200B7878E69
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Antivirus matches:
                                                                                                                                                          • Detection: 29%, ReversingLabs
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:3
                                                                                                                                                          Start time:09:25:32
                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                          Path:C:\Windows\Temp\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\TEMP\{C774A726-8D87-43F8-9B8B-7D60F2D25847}\.ba\RescueCDBurner.exe
                                                                                                                                                          Imagebase:0x330000
                                                                                                                                                          File size:6'487'736 bytes
                                                                                                                                                          MD5 hash:11C8962675B6D535C018A63BE0821E4C
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Antivirus matches:
                                                                                                                                                          • Detection: 3%, ReversingLabs
                                                                                                                                                          Reputation:moderate
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:4
                                                                                                                                                          Start time:09:25:34
                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe
                                                                                                                                                          Imagebase:0xec0000
                                                                                                                                                          File size:6'487'736 bytes
                                                                                                                                                          MD5 hash:11C8962675B6D535C018A63BE0821E4C
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Antivirus matches:
                                                                                                                                                          • Detection: 3%, ReversingLabs
                                                                                                                                                          Reputation:moderate
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:5
                                                                                                                                                          Start time:09:25:35
                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          Imagebase:0x1c0000
                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:6
                                                                                                                                                          Start time:09:25:35
                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff66e660000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:12
                                                                                                                                                          Start time:09:26:01
                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe"
                                                                                                                                                          Imagebase:0xec0000
                                                                                                                                                          File size:6'487'736 bytes
                                                                                                                                                          MD5 hash:11C8962675B6D535C018A63BE0821E4C
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:moderate
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:13
                                                                                                                                                          Start time:09:26:01
                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                          Imagebase:0x140000000
                                                                                                                                                          File size:2'364'728 bytes
                                                                                                                                                          MD5 hash:967F4470627F823F4D7981E511C9824F
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Antivirus matches:
                                                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                                                          Reputation:moderate
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:14
                                                                                                                                                          Start time:09:26:01
                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          Imagebase:0x1c0000
                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:15
                                                                                                                                                          Start time:09:26:02
                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff66e660000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:16
                                                                                                                                                          Start time:09:26:22
                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                          Imagebase:0x140000000
                                                                                                                                                          File size:2'364'728 bytes
                                                                                                                                                          MD5 hash:967F4470627F823F4D7981E511C9824F
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          Disassembly

                                                                                                                                                          Reset < >

                                                                                                                                                            Execution Graph

                                                                                                                                                            Execution Coverage:4.8%
                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                            Signature Coverage:8.8%
                                                                                                                                                            Total number of Nodes:1917
                                                                                                                                                            Total number of Limit Nodes:35
                                                                                                                                                            execution_graph 50553 3f9430 9 API calls 50557 436a50 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 50558 41fa55 77 API calls 50559 43de5b 42 API calls 2 library calls 50560 434e43 59 API calls _ValidateLocalCookies 50561 3f6a25 89 API calls 50562 3f9c20 79 API calls 2 library calls 50563 433604 117 API calls 49683 3f7c13 49684 3f7b31 49683->49684 49685 3f7ee0 49684->49685 49856 3f367f GetProcessHeap RtlFreeHeap GetLastError 49684->49856 49687 3f7ef2 49685->49687 49857 40a9ad 129 API calls 49685->49857 49725 4056b4 49687->49725 49694 3f7f16 49695 3f7f42 49694->49695 49696 3f8119 72 API calls 49694->49696 49697 3f8119 72 API calls 49695->49697 49696->49695 49698 3f7f80 49697->49698 49749 44ae56 EnterCriticalSection 49698->49749 49700 3f7fc4 49754 40c13d 49700->49754 49706 3f8050 49774 3f774c 49706->49774 49708 3f80b3 49709 3f80c1 49708->49709 49858 450d9c CoUninitialize 49708->49858 49711 3f80cf 49709->49711 49859 44fbc7 FreeLibrary 49709->49859 49713 3f80dd 49711->49713 49860 44d520 FreeLibrary 49711->49860 49715 3f80f0 49713->49715 49861 4510aa FreeLibrary FreeLibrary 49713->49861 49716 3f80fa 49715->49716 49717 3f80f4 CoUninitialize 49715->49717 49845 44b41c 49716->49845 49717->49716 49719 3f80eb 49862 44a6e3 FreeLibrary FreeLibrary 49719->49862 49723 4367e6 _ValidateLocalCookies 5 API calls 49724 3f8115 49723->49724 49726 4056c1 49725->49726 49727 3f7efe 49725->49727 49863 3f5c81 49726->49863 49729 40fbe8 49727->49729 49730 3f7f0a 49729->49730 49731 40fbf8 49729->49731 49733 40fdf6 49730->49733 49732 3f5c81 93 API calls 49731->49732 49732->49730 49734 40fe03 49733->49734 49735 40fe0e 49733->49735 49913 3f3605 GetProcessHeap RtlFreeHeap GetLastError 49734->49913 49737 40fe1c 49735->49737 49914 3f367f GetProcessHeap RtlFreeHeap GetLastError 49735->49914 49739 40fe2a 49737->49739 49915 3f367f GetProcessHeap RtlFreeHeap GetLastError 49737->49915 49741 40fe38 49739->49741 49916 3f367f GetProcessHeap RtlFreeHeap GetLastError 49739->49916 49742 40fe48 49741->49742 49917 3f367f GetProcessHeap RtlFreeHeap GetLastError 49741->49917 49745 40fe58 49742->49745 49918 3f367f GetProcessHeap RtlFreeHeap GetLastError 49742->49918 49747 40fe68 _memcpy_s 49745->49747 49919 3f367f GetProcessHeap RtlFreeHeap GetLastError 49745->49919 49747->49694 49750 44ae71 FlushFileBuffers 49749->49750 49751 44ae6e 49749->49751 49752 44aec4 LeaveCriticalSection 49750->49752 49753 44ae7c GetLastError 49750->49753 49751->49752 49752->49700 49753->49751 49920 44a051 49754->49920 49756 40c15b 49757 44a051 6 API calls 49756->49757 49765 40c161 49756->49765 49758 40c195 49757->49758 49759 40c1ce 49758->49759 49758->49765 49923 40b637 48 API calls 49758->49923 49759->49765 49924 40b637 48 API calls 49759->49924 49762 3f7ff0 49767 41d6fd IsWindow 49762->49767 49763 3f55c9 3 API calls 49763->49762 49764 40c1f7 49764->49765 49766 3f174a 2 API calls 49764->49766 49765->49762 49765->49763 49766->49765 49768 41d714 PostMessageW 49767->49768 49769 3f803c 49767->49769 49768->49769 49770 416157 49769->49770 49771 416163 49770->49771 49773 416170 49770->49773 49772 3f174a 2 API calls 49771->49772 49772->49773 49773->49706 49775 3f775e 49774->49775 49776 3f7764 49774->49776 50098 449966 LocalFree 49775->50098 49778 3f7774 49776->49778 49779 3f55c9 3 API calls 49776->49779 49780 3f55c9 3 API calls 49778->49780 49782 3f7784 DeleteCriticalSection 49778->49782 49779->49778 49780->49782 49783 3f77ce 49782->49783 49936 40b9e9 49783->49936 49785 3f77fe 49786 40b9e9 3 API calls 49785->49786 49787 3f780a 49786->49787 49788 3f781a 49787->49788 50099 3f367f GetProcessHeap RtlFreeHeap GetLastError 49787->50099 49942 40058b 49788->49942 49793 3f7856 49954 3fe956 49793->49954 49799 3f787a 49969 3fc06f DeleteCriticalSection 49799->49969 49805 3f789e 50060 40003c 49805->50060 49811 3f78bf 50090 3ff3f2 49811->50090 49814 3f78d8 49815 3f78e5 49814->49815 50101 3f367f GetProcessHeap RtlFreeHeap GetLastError 49814->50101 49818 3f78f2 49815->49818 50102 3f367f GetProcessHeap RtlFreeHeap GetLastError 49815->50102 49820 3f78ff 49818->49820 50103 3f367f GetProcessHeap RtlFreeHeap GetLastError 49818->50103 49822 3f790f 49820->49822 50104 3f367f GetProcessHeap RtlFreeHeap GetLastError 49820->50104 49824 3f791f 49822->49824 50105 3f367f GetProcessHeap RtlFreeHeap GetLastError 49822->50105 49825 3f792f 49824->49825 50106 3f367f GetProcessHeap RtlFreeHeap GetLastError 49824->50106 49828 3f793f 49825->49828 50107 3f367f GetProcessHeap RtlFreeHeap GetLastError 49825->50107 49830 3f794f 49828->49830 50108 3f367f GetProcessHeap RtlFreeHeap GetLastError 49828->50108 49832 3f795f 49830->49832 50109 3f367f GetProcessHeap RtlFreeHeap GetLastError 49830->50109 49834 3f796f 49832->49834 50110 3f367f GetProcessHeap RtlFreeHeap GetLastError 49832->50110 49836 3f797f 49834->49836 50111 3f367f GetProcessHeap RtlFreeHeap GetLastError 49834->50111 49838 3f798f 49836->49838 50112 3f367f GetProcessHeap RtlFreeHeap GetLastError 49836->50112 49840 3f799f 49838->49840 50113 3f367f GetProcessHeap RtlFreeHeap GetLastError 49838->50113 49842 3f79af DeleteCriticalSection 49840->49842 50114 3f367f GetProcessHeap RtlFreeHeap GetLastError 49840->50114 49844 3f79c8 _memcpy_s 49842->49844 49844->49708 50244 44ac32 49845->50244 49848 44b432 DeleteCriticalSection 49849 44b443 49848->49849 49850 44b45e 49849->49850 50252 3f367f GetProcessHeap RtlFreeHeap GetLastError 49849->50252 49852 44b473 49850->49852 50253 3f367f GetProcessHeap RtlFreeHeap GetLastError 49850->50253 49854 3f8106 49852->49854 50254 3f367f GetProcessHeap RtlFreeHeap GetLastError 49852->50254 49854->49723 49856->49685 49857->49687 49858->49709 49859->49711 49860->49713 49861->49719 49862->49715 49864 3f5cbb _memcpy_s 49863->49864 49865 3f5cd9 GetFileAttributesW 49864->49865 49866 3f5cf4 GetLastError 49865->49866 49867 3f5d61 49865->49867 49882 3f5d00 49866->49882 49868 3f5d6d SetFileAttributesW 49867->49868 49869 3f5dda 49867->49869 49904 3f60d8 49867->49904 49868->49869 49870 3f5d7d GetLastError 49868->49870 49871 3f615c RemoveDirectoryW 49869->49871 49872 3f5e01 49869->49872 49873 3f4dd8 71 API calls 49869->49873 49878 3f5d89 49870->49878 49874 3f616d GetLastError 49871->49874 49871->49904 49875 3f3db5 52 API calls 49872->49875 49872->49882 49873->49872 49877 3f6179 49874->49877 49879 3f5e3a FindFirstFileW 49875->49879 49876 3f62af FindClose 49876->49882 49883 3f6190 MoveFileExW 49877->49883 49877->49904 49878->49882 49884 3f5e78 GetLastError 49879->49884 49902 3f5e84 49879->49902 49881 3f62ca 49886 3f62de 49881->49886 49911 3f367f GetProcessHeap RtlFreeHeap GetLastError 49881->49911 49882->49881 49910 3f367f GetProcessHeap RtlFreeHeap GetLastError 49882->49910 49883->49904 49884->49902 49888 3f62f2 49886->49888 49912 3f367f GetProcessHeap RtlFreeHeap GetLastError 49886->49912 49890 4367e6 _ValidateLocalCookies 5 API calls 49888->49890 49892 3f6301 49890->49892 49891 3f60b7 FindNextFileW 49893 3f614d GetLastError 49891->49893 49891->49902 49892->49727 49893->49871 49894 3f61fd GetLastError 49893->49894 49894->49904 49895 3f3db5 52 API calls 49895->49902 49896 3f600b DeleteFileW 49896->49902 49897 3f5fba SetFileAttributesW 49897->49896 49899 3f5fcf GetLastError 49897->49899 49898 3f3cfd 52 API calls 49898->49902 49907 3f5fdb 49899->49907 49900 3f607a GetLastError 49900->49902 49902->49891 49902->49895 49902->49896 49902->49897 49902->49898 49902->49900 49903 3f5c81 74 API calls 49902->49903 49902->49904 49902->49907 49903->49902 49904->49876 49904->49882 49905 3f60f2 49905->49904 49906 3f6048 MoveFileExW 49906->49907 49907->49902 49907->49905 49907->49906 49908 3f606a MoveFileExW 49907->49908 49909 3f4b8a 59 API calls 49907->49909 49908->49902 49909->49907 49910->49881 49911->49886 49912->49888 49913->49735 49914->49737 49915->49739 49916->49741 49917->49742 49918->49745 49919->49747 49925 449a4d 49920->49925 49922 44a069 49922->49756 49923->49759 49924->49764 49926 449ad0 49925->49926 49927 449a69 49925->49927 49935 3f540b GetProcessHeap RtlAllocateHeap 49926->49935 49933 3f593a GetProcessHeap HeapSize 49927->49933 49930 449a74 49932 449a7a 49930->49932 49934 3f56c2 GetProcessHeap HeapReAlloc 49930->49934 49932->49922 49933->49930 49934->49932 49935->49932 49937 40b9f9 49936->49937 49938 40ba48 49937->49938 50115 3f367f GetProcessHeap RtlFreeHeap GetLastError 49937->50115 49940 40ba54 49938->49940 50116 3f367f GetProcessHeap RtlFreeHeap GetLastError 49938->50116 49940->49785 49943 3f783d DeleteCriticalSection 49942->49943 49946 400598 49942->49946 49948 405739 49943->49948 49944 4005bf 49945 3f55c9 3 API calls 49944->49945 49945->49943 49946->49944 50117 3f367f GetProcessHeap RtlFreeHeap GetLastError 49946->50117 49949 405746 49948->49949 49950 40574e 49948->49950 50118 3f367f GetProcessHeap RtlFreeHeap GetLastError 49949->50118 49952 40003c 3 API calls 49950->49952 49953 405754 _memcpy_s 49952->49953 49953->49793 49955 3f7862 49954->49955 49958 3fe965 49954->49958 49960 411a5b 49955->49960 49956 3f55c9 3 API calls 49956->49955 49957 3f367f GetProcessHeap RtlFreeHeap GetLastError 49957->49958 49958->49957 49959 3fe9ab 49958->49959 49959->49956 49961 3f786e 49960->49961 49962 411a67 49960->49962 49964 406e65 49961->49964 50119 45542a GetProcessHeap RtlFreeHeap GetLastError 49962->50119 50120 405d86 49964->50120 49967 406e83 _memcpy_s 49967->49799 49970 3f7886 49969->49970 49975 3fc086 49969->49975 49976 4027a8 49970->49976 49971 3fc0bc 49972 3f55c9 3 API calls 49971->49972 49972->49970 49975->49971 50195 3f367f GetProcessHeap RtlFreeHeap GetLastError 49975->50195 50196 41dcae GetProcessHeap RtlFreeHeap GetLastError GetProcessHeap HeapSize 49975->50196 49977 3f7892 49976->49977 49980 4027bb 49976->49980 49982 409cf3 49977->49982 49978 402877 49979 3f55c9 3 API calls 49978->49979 49979->49977 49980->49978 49981 3f367f GetProcessHeap RtlFreeHeap GetLastError 49980->49981 49981->49980 49983 409d02 49982->49983 49984 409d0a 49982->49984 50207 3f367f GetProcessHeap RtlFreeHeap GetLastError 49983->50207 49986 409d18 49984->49986 50208 3f367f GetProcessHeap RtlFreeHeap GetLastError 49984->50208 49988 409d37 49986->49988 50209 3f367f GetProcessHeap RtlFreeHeap GetLastError 49986->50209 49989 409d44 49988->49989 49990 3f55c9 3 API calls 49988->49990 49991 409d61 49989->49991 50210 3f367f GetProcessHeap RtlFreeHeap GetLastError 49989->50210 49990->49989 49994 3f55c9 3 API calls 49991->49994 49995 409d6e 49991->49995 49994->49995 49996 409d8b 49995->49996 50211 3f367f GetProcessHeap RtlFreeHeap GetLastError 49995->50211 49997 409d98 49996->49997 49998 3f55c9 3 API calls 49996->49998 49999 409db5 49997->49999 50212 3f367f GetProcessHeap RtlFreeHeap GetLastError 49997->50212 49998->49997 50001 409dc2 49999->50001 50003 3f55c9 3 API calls 49999->50003 50004 409dcf 50001->50004 50213 3f367f GetProcessHeap RtlFreeHeap GetLastError 50001->50213 50003->50001 50006 409ddc 50004->50006 50214 3f367f GetProcessHeap RtlFreeHeap GetLastError 50004->50214 50007 409de9 50006->50007 50215 3f367f GetProcessHeap RtlFreeHeap GetLastError 50006->50215 50010 409df6 50007->50010 50216 3f367f GetProcessHeap RtlFreeHeap GetLastError 50007->50216 50012 409e03 50010->50012 50217 3f367f GetProcessHeap RtlFreeHeap GetLastError 50010->50217 50014 409e10 50012->50014 50218 3f367f GetProcessHeap RtlFreeHeap GetLastError 50012->50218 50016 409e1d 50014->50016 50219 3f367f GetProcessHeap RtlFreeHeap GetLastError 50014->50219 50018 409e2a 50016->50018 50220 3f367f GetProcessHeap RtlFreeHeap GetLastError 50016->50220 50020 409e37 50018->50020 50221 3f367f GetProcessHeap RtlFreeHeap GetLastError 50018->50221 50022 409e44 50020->50022 50222 3f367f GetProcessHeap RtlFreeHeap GetLastError 50020->50222 50024 409e51 50022->50024 50223 3f367f GetProcessHeap RtlFreeHeap GetLastError 50022->50223 50026 409e5e 50024->50026 50224 3f367f GetProcessHeap RtlFreeHeap GetLastError 50024->50224 50028 409e6b 50026->50028 50225 3f367f GetProcessHeap RtlFreeHeap GetLastError 50026->50225 50029 409e78 50028->50029 50226 3f367f GetProcessHeap RtlFreeHeap GetLastError 50028->50226 50032 409e85 50029->50032 50227 3f367f GetProcessHeap RtlFreeHeap GetLastError 50029->50227 50034 409e95 50032->50034 50228 3f367f GetProcessHeap RtlFreeHeap GetLastError 50032->50228 50036 409ea5 50034->50036 50229 3f367f GetProcessHeap RtlFreeHeap GetLastError 50034->50229 50038 409eb5 50036->50038 50230 3f367f GetProcessHeap RtlFreeHeap GetLastError 50036->50230 50039 409ec5 50038->50039 50231 3f367f GetProcessHeap RtlFreeHeap GetLastError 50038->50231 50042 409ed5 50039->50042 50232 3f367f GetProcessHeap RtlFreeHeap GetLastError 50039->50232 50044 409ee5 50042->50044 50233 3f367f GetProcessHeap RtlFreeHeap GetLastError 50042->50233 50057 409ef5 50044->50057 50234 3f367f GetProcessHeap RtlFreeHeap GetLastError 50044->50234 50047 409f76 50048 409f88 50047->50048 50235 3f367f GetProcessHeap RtlFreeHeap GetLastError 50047->50235 50052 409f98 50048->50052 50236 3f367f GetProcessHeap RtlFreeHeap GetLastError 50048->50236 50049 409f6e 50050 3f55c9 3 API calls 50049->50050 50050->50047 50197 42022a 50052->50197 50055 3f367f GetProcessHeap RtlFreeHeap GetLastError 50055->50057 50057->50047 50057->50049 50057->50055 50058 409fba _memcpy_s 50058->49805 50061 400070 50060->50061 50067 400049 50060->50067 50062 3f78aa 50061->50062 50241 454b0d GetProcessHeap RtlFreeHeap GetLastError 50061->50241 50068 406ce3 50062->50068 50063 400067 50065 3f55c9 3 API calls 50063->50065 50065->50061 50067->50063 50240 3ff6ce GetProcessHeap RtlFreeHeap GetLastError 50067->50240 50069 406cf5 50068->50069 50070 406d4d 50068->50070 50082 3f367f GetProcessHeap RtlFreeHeap GetLastError 50069->50082 50083 406d45 50069->50083 50071 406d7d 50070->50071 50076 405d86 3 API calls 50070->50076 50081 406d72 50070->50081 50072 406dab 50071->50072 50085 406da3 50071->50085 50242 3f367f GetProcessHeap RtlFreeHeap GetLastError 50071->50242 50077 3f55c9 3 API calls 50072->50077 50079 406db9 50072->50079 50073 3f55c9 3 API calls 50073->50070 50074 3f55c9 3 API calls 50074->50071 50075 3f55c9 3 API calls 50075->50072 50076->50070 50077->50079 50078 3f78b6 50086 3fe406 50078->50086 50079->50078 50080 3f55c9 3 API calls 50079->50080 50080->50078 50081->50074 50082->50069 50083->50073 50085->50075 50087 3fe413 50086->50087 50089 3fe41b _memcpy_s 50086->50089 50088 3f55c9 3 API calls 50087->50088 50088->50089 50089->49811 50091 3f78cb 50090->50091 50095 3ff404 50090->50095 50091->49814 50100 3f367f GetProcessHeap RtlFreeHeap GetLastError 50091->50100 50092 3ff4c5 50093 3f55c9 3 API calls 50092->50093 50093->50091 50094 3f55c9 3 API calls 50094->50095 50095->50092 50095->50094 50096 3f367f GetProcessHeap RtlFreeHeap GetLastError 50095->50096 50243 454b0d GetProcessHeap RtlFreeHeap GetLastError 50095->50243 50096->50095 50098->49776 50099->49788 50100->49814 50101->49815 50102->49818 50103->49820 50104->49822 50105->49824 50106->49825 50107->49828 50108->49830 50109->49832 50110->49834 50111->49836 50112->49838 50113->49840 50114->49842 50115->49938 50116->49940 50117->49946 50118->49950 50119->49961 50121 405d92 50120->50121 50122 405d99 50120->50122 50175 3f367f GetProcessHeap RtlFreeHeap GetLastError 50121->50175 50124 405da7 50122->50124 50176 3f367f GetProcessHeap RtlFreeHeap GetLastError 50122->50176 50126 405db5 50124->50126 50177 3f367f GetProcessHeap RtlFreeHeap GetLastError 50124->50177 50128 405dc3 50126->50128 50178 3f367f GetProcessHeap RtlFreeHeap GetLastError 50126->50178 50130 405dd1 50128->50130 50179 3f367f GetProcessHeap RtlFreeHeap GetLastError 50128->50179 50132 405ddf 50130->50132 50180 3f367f GetProcessHeap RtlFreeHeap GetLastError 50130->50180 50142 405ded 50132->50142 50181 3f367f GetProcessHeap RtlFreeHeap GetLastError 50132->50181 50135 405e2c 50136 405e3d 50135->50136 50139 3f55c9 3 API calls 50135->50139 50140 405e48 50136->50140 50141 405e7c 50136->50141 50137 405e1f 50138 3f55c9 3 API calls 50137->50138 50138->50135 50139->50136 50143 405e74 50140->50143 50144 405e4d 50140->50144 50187 421292 GetProcessHeap RtlFreeHeap GetLastError _memcpy_s 50141->50187 50142->50135 50142->50137 50182 411a7d GetProcessHeap RtlFreeHeap GetLastError _memcpy_s 50142->50182 50186 4230b4 GetProcessHeap RtlFreeHeap GetLastError _memcpy_s 50143->50186 50148 405e52 50144->50148 50149 405e6c 50144->50149 50152 405e64 50148->50152 50153 405e57 50148->50153 50185 426705 GetProcessHeap RtlFreeHeap GetLastError _memcpy_s 50149->50185 50150 405e62 50159 405e93 50150->50159 50184 4291ab GetProcessHeap RtlFreeHeap GetLastError 50152->50184 50153->50150 50183 429e34 GetProcessHeap RtlFreeHeap GetLastError 50153->50183 50156 405e8e 50156->49967 50158 3f367f GetProcessHeap RtlFreeHeap GetLastError 50156->50158 50158->49967 50160 405ea0 50159->50160 50161 405ea8 50159->50161 50188 3f367f GetProcessHeap RtlFreeHeap GetLastError 50160->50188 50163 405eb6 50161->50163 50189 3f367f GetProcessHeap RtlFreeHeap GetLastError 50161->50189 50165 405ec4 50163->50165 50190 3f367f GetProcessHeap RtlFreeHeap GetLastError 50163->50190 50167 405ed2 50165->50167 50191 3f367f GetProcessHeap RtlFreeHeap GetLastError 50165->50191 50169 405ee0 50167->50169 50192 3f367f GetProcessHeap RtlFreeHeap GetLastError 50167->50192 50171 405ef4 50169->50171 50173 405f02 _memcpy_s 50169->50173 50193 3f367f GetProcessHeap RtlFreeHeap GetLastError 50169->50193 50171->50173 50194 4515b5 GetProcessHeap RtlFreeHeap GetLastError 50171->50194 50173->50156 50175->50122 50176->50124 50177->50126 50178->50128 50179->50130 50180->50132 50181->50142 50182->50142 50183->50150 50184->50150 50185->50150 50186->50150 50187->50150 50188->50161 50189->50163 50190->50165 50191->50167 50192->50169 50193->50171 50194->50173 50195->49975 50196->49975 50199 4202c8 50197->50199 50204 42023e 50197->50204 50198 409fa4 50198->50058 50237 45542a GetProcessHeap RtlFreeHeap GetLastError 50198->50237 50199->50198 50201 3f55c9 3 API calls 50199->50201 50200 3f55c9 3 API calls 50200->50199 50201->50198 50202 405d86 3 API calls 50202->50204 50204->50202 50206 4202bf 50204->50206 50238 3ff6ce GetProcessHeap RtlFreeHeap GetLastError 50204->50238 50239 3f367f GetProcessHeap RtlFreeHeap GetLastError 50204->50239 50206->50200 50207->49984 50208->49986 50209->49986 50210->49989 50211->49995 50212->49997 50213->50004 50214->50006 50215->50007 50216->50010 50217->50012 50218->50014 50219->50016 50220->50018 50221->50020 50222->50022 50223->50024 50224->50026 50225->50028 50226->50029 50227->50032 50228->50034 50229->50036 50230->50038 50231->50039 50232->50042 50233->50044 50234->50057 50235->50048 50236->50052 50237->50058 50238->50204 50239->50204 50240->50067 50241->50062 50242->50071 50243->50095 50245 44ac3f 50244->50245 50246 44ac4a 50244->50246 50245->50246 50255 44aed3 76 API calls 50245->50255 50249 44ac71 50246->50249 50256 3f367f GetProcessHeap RtlFreeHeap GetLastError 50246->50256 50251 44ac87 50249->50251 50257 3f367f GetProcessHeap RtlFreeHeap GetLastError 50249->50257 50251->49848 50251->49849 50252->49850 50253->49852 50254->49854 50255->50246 50256->50249 50257->50251 50566 415e6e 93 API calls 50567 3f8e10 6 API calls 50569 442070 7 API calls 50570 440670 72 API calls 2 library calls 50571 447e70 IsProcessorFeaturePresent 50572 434e43 60 API calls _ValidateLocalCookies 50573 3f9000 72 API calls 50574 436800 49 API calls __RTC_Initialize 50575 443000 GetProcessHeap 50577 436a07 21 API calls __CreateFrameInfo 50579 40940e 84 API calls 50580 41d010 19 API calls 50581 42e210 55 API calls 50582 441e10 GetCommandLineA GetCommandLineW 50583 434e1b 9 API calls _ValidateLocalCookies 50585 3f7060 68 API calls 50587 3f8e60 87 API calls 49632 41de20 49633 3f55c9 3 API calls 49632->49633 49634 41de2b 49633->49634 50589 40e622 64 API calls 49680 443021 46 API calls 50590 402c2a LoadLibraryExW GetLastError GetProcAddress GetLastError 50259 41de30 50260 41de52 50259->50260 50264 41de5c 50259->50264 50261 41de57 50260->50261 50262 41de6c 50260->50262 50261->50264 50296 41e2b8 DosDateTimeToFileTime LocalFileTimeToFileTime SetFileTime 50261->50296 50266 41e386 SetEvent 50262->50266 50267 41e3e5 50266->50267 50268 41e39f GetLastError 50266->50268 50269 3f174a 2 API calls 50267->50269 50277 41e3ab 50268->50277 50270 41e3ef 50269->50270 50271 41e419 ResetEvent 50270->50271 50270->50277 50272 41e426 GetLastError 50271->50272 50273 41e46c 50271->50273 50272->50277 50274 3f2ec6 10 API calls 50273->50274 50273->50277 50275 41e4c7 50274->50275 50276 41e4f4 SetEvent 50275->50276 50275->50277 50278 41e501 GetLastError 50276->50278 50279 41e547 50276->50279 50277->50264 50278->50277 50280 3f174a 2 API calls 50279->50280 50281 41e551 50280->50281 50281->50277 50282 41e573 ResetEvent 50281->50282 50283 41e580 GetLastError 50282->50283 50284 41e5c6 50282->50284 50283->50277 50285 41e5d3 50284->50285 50286 41e66d 50284->50286 50285->50277 50297 3f540b GetProcessHeap RtlAllocateHeap 50285->50297 50288 41e692 GetLastError 50286->50288 50289 41e6dc SetFilePointerEx 50286->50289 50295 41e69e 50288->50295 50290 41e6f0 GetLastError 50289->50290 50291 41e736 SetEndOfFile 50289->50291 50290->50277 50292 41e743 GetLastError 50291->50292 50293 41e786 SetFilePointerEx 50291->50293 50292->50277 50293->50277 50294 41e797 GetLastError 50293->50294 50294->50277 50295->50289 50296->50264 50297->50277 50593 409839 94 API calls _ValidateLocalCookies 50594 3f6c2a 7 API calls 50597 4368c0 42 API calls 50598 44c8c3 70 API calls 50599 4090c9 130 API calls _ValidateLocalCookies 50601 4472cf 20 API calls __vsnwprintf_l 50603 3f94b0 GetProcessHeap RtlFreeHeap GetLastError GetProcessHeap HeapSize 50604 3f96b0 15 API calls 50605 41fad1 54 API calls 48810 4368d2 48811 4368de ___scrt_is_nonwritable_in_current_image 48810->48811 48835 436cb0 48811->48835 48813 4368e5 48814 436a38 48813->48814 48824 43690f ___scrt_is_nonwritable_in_current_image __CreateFrameInfo ___scrt_release_startup_lock 48813->48824 48857 436faf 4 API calls 2 library calls 48814->48857 48816 436a3f 48850 43e779 48816->48850 48820 436a4d 48821 43692e 48822 4369af 48846 4370ca 48822->48846 48824->48821 48824->48822 48853 43e753 41 API calls 4 library calls 48824->48853 48826 4369b5 48827 4369ca 48826->48827 48854 437100 GetModuleHandleW 48827->48854 48829 4369d1 48829->48816 48830 4369d5 48829->48830 48831 4369de 48830->48831 48855 43e72e 21 API calls __CreateFrameInfo 48830->48855 48856 436e21 75 API calls ___scrt_uninitialize_crt 48831->48856 48834 4369e6 48834->48821 48836 436cb9 48835->48836 48859 437255 IsProcessorFeaturePresent 48836->48859 48838 436cc5 48860 4394ae 10 API calls 2 library calls 48838->48860 48840 436cca 48841 436cce 48840->48841 48861 43ed7e 48840->48861 48841->48813 48844 436ce5 48844->48813 48920 437460 48846->48920 48849 4370f0 48849->48826 48922 43e5ad 48850->48922 48853->48822 48854->48829 48855->48831 48856->48834 48857->48816 48858 43e73d 21 API calls __CreateFrameInfo 48858->48820 48859->48838 48860->48840 48865 44302a 48861->48865 48864 4394cd 7 API calls 2 library calls 48864->48841 48866 436cd7 48865->48866 48867 44303a 48865->48867 48866->48844 48866->48864 48867->48866 48869 440e90 48867->48869 48870 440e9c ___scrt_is_nonwritable_in_current_image 48869->48870 48881 4420b1 EnterCriticalSection 48870->48881 48872 440ea3 48882 442214 48872->48882 48877 440ebc 48896 440de0 GetStdHandle GetFileType 48877->48896 48878 440ed2 48878->48867 48880 440ec1 48897 440ee7 LeaveCriticalSection __CreateFrameInfo 48880->48897 48881->48872 48883 442220 ___scrt_is_nonwritable_in_current_image 48882->48883 48884 442229 48883->48884 48885 44224a 48883->48885 48906 43d6a8 14 API calls _memcpy_s 48884->48906 48898 4420b1 EnterCriticalSection 48885->48898 48888 44222e 48907 43d5ea 41 API calls _memcpy_s 48888->48907 48890 442282 48908 4422a9 LeaveCriticalSection __CreateFrameInfo 48890->48908 48893 440eb2 48893->48880 48895 440d2a 44 API calls 48893->48895 48894 442256 48894->48890 48899 442164 48894->48899 48895->48877 48896->48880 48897->48878 48898->48894 48909 441059 48899->48909 48901 442176 48905 442183 48901->48905 48916 442e52 6 API calls _memcpy_s 48901->48916 48903 4421d8 48903->48894 48917 43f5f2 14 API calls 2 library calls 48905->48917 48906->48888 48907->48893 48908->48893 48914 441066 _memcpy_s 48909->48914 48910 4410a6 48919 43d6a8 14 API calls _memcpy_s 48910->48919 48911 441091 RtlAllocateHeap 48912 4410a4 48911->48912 48911->48914 48912->48901 48914->48910 48914->48911 48918 4430d2 EnterCriticalSection LeaveCriticalSection _memcpy_s 48914->48918 48916->48901 48917->48903 48918->48914 48919->48912 48921 4370dd GetStartupInfoW 48920->48921 48921->48849 48923 43e5da 48922->48923 48924 43e5ec 48922->48924 48949 437100 GetModuleHandleW 48923->48949 48934 43e45d 48924->48934 48928 43e5df 48928->48924 48950 43e68e GetModuleHandleExW 48928->48950 48929 436a45 48929->48858 48932 43e63e 48935 43e469 ___scrt_is_nonwritable_in_current_image 48934->48935 48956 4420b1 EnterCriticalSection 48935->48956 48937 43e473 48957 43e4c5 48937->48957 48939 43e480 48961 43e49e 48939->48961 48942 43e644 48966 43e675 48942->48966 48944 43e64e 48945 43e662 48944->48945 48946 43e652 GetCurrentProcess TerminateProcess 48944->48946 48947 43e68e __CreateFrameInfo 3 API calls 48945->48947 48946->48945 48948 43e66a ExitProcess 48947->48948 48949->48928 48951 43e6ee 48950->48951 48952 43e6cd GetProcAddress 48950->48952 48953 43e6f4 FreeLibrary 48951->48953 48954 43e5eb 48951->48954 48952->48951 48955 43e6e1 48952->48955 48953->48954 48954->48924 48955->48951 48956->48937 48959 43e4d1 ___scrt_is_nonwritable_in_current_image __CreateFrameInfo 48957->48959 48958 43e535 __CreateFrameInfo 48958->48939 48959->48958 48964 43ebbd 14 API calls 2 library calls 48959->48964 48965 442101 LeaveCriticalSection 48961->48965 48963 43e48c 48963->48929 48963->48942 48964->48958 48965->48963 48969 44213d 5 API calls __CreateFrameInfo 48966->48969 48968 43e67a __CreateFrameInfo 48968->48944 48969->48968 50607 4092d2 58 API calls 50608 42fad0 84 API calls 49550 45c2d6 49552 45c1e1 49550->49552 49553 45c6ef 49552->49553 49579 45c44d 49553->49579 49556 45c75c 49557 45c68d DloadReleaseSectionWriteAccess 8 API calls 49556->49557 49558 45c767 RaiseException 49557->49558 49559 45c955 49558->49559 49559->49552 49560 45c7f8 LoadLibraryExA 49561 45c859 49560->49561 49562 45c80b GetLastError 49560->49562 49565 45c86b 49561->49565 49568 45c864 FreeLibrary 49561->49568 49563 45c834 49562->49563 49564 45c81e 49562->49564 49569 45c68d DloadReleaseSectionWriteAccess 8 API calls 49563->49569 49564->49561 49564->49563 49566 45c8c9 GetProcAddress 49565->49566 49575 45c927 49565->49575 49570 45c8d9 GetLastError 49566->49570 49566->49575 49567 45c780 49567->49560 49567->49561 49567->49565 49567->49575 49568->49565 49571 45c83f RaiseException 49569->49571 49572 45c8ec 49570->49572 49571->49559 49574 45c68d DloadReleaseSectionWriteAccess 8 API calls 49572->49574 49572->49575 49576 45c90d RaiseException 49574->49576 49585 45c68d 49575->49585 49577 45c44d ___delayLoadHelper2@8 7 API calls 49576->49577 49578 45c924 49577->49578 49578->49575 49580 45c47a 49579->49580 49581 45c459 49579->49581 49580->49556 49580->49567 49593 45c4f6 49581->49593 49583 45c45e 49583->49580 49598 45c61f 49583->49598 49586 45c6c1 49585->49586 49587 45c69f 49585->49587 49586->49559 49588 45c4f6 DloadReleaseSectionWriteAccess 4 API calls 49587->49588 49589 45c6a4 49588->49589 49590 45c6bc 49589->49590 49591 45c61f DloadProtectSection 3 API calls 49589->49591 49605 45c6c3 GetModuleHandleW GetProcAddress GetProcAddress RtlReleaseSRWLockExclusive DloadReleaseSectionWriteAccess 49590->49605 49591->49590 49603 45c480 GetModuleHandleW GetProcAddress GetProcAddress 49593->49603 49595 45c4fb 49596 45c513 RtlAcquireSRWLockExclusive 49595->49596 49597 45c517 49595->49597 49596->49583 49597->49583 49601 45c634 DloadProtectSection 49598->49601 49599 45c63a 49599->49580 49600 45c66f VirtualProtect 49600->49599 49601->49599 49601->49600 49604 45c535 VirtualQuery GetSystemInfo 49601->49604 49603->49595 49604->49600 49605->49586 50609 43ecd0 7 API calls ___scrt_uninitialize_crt 50610 4410d8 42 API calls 3 library calls 50611 44c0da GetProcessHeap RtlAllocateHeap 50612 3f90a0 57 API calls _ValidateLocalCookies 50613 419ce0 176 API calls 50614 420ee0 81 API calls 50616 440ce0 16 API calls _memcpy_s 50617 3f6c99 76 API calls 50618 4000e7 56 API calls 50621 440ef0 15 API calls 50622 3f9280 52 API calls 50623 3f9880 67 API calls 48769 41de80 CompareStringA 48770 41df6c CreateFileA 48769->48770 48771 41debf GetCurrentProcess GetCurrentProcess DuplicateHandle 48769->48771 48772 41df8c GetLastError 48770->48772 48777 41deec 48770->48777 48773 41dee0 GetLastError 48771->48773 48774 41df2f 48771->48774 48776 41df98 48772->48776 48773->48777 48778 41dcd9 6 API calls 48774->48778 48776->48777 48778->48777 50625 409489 60 API calls 50627 3f94f0 76 API calls 2 library calls 50628 412de9 250 API calls 50629 411d00 296 API calls 50628->50629 48970 3f74ee 48996 40a5be 48970->48996 48974 3f76b8 IsWindow 48975 3f76c5 PostMessageW 48974->48975 48976 3f76d4 48974->48976 48975->48976 49113 3f3886 48976->49113 48977 3f7575 48978 3f759f 48977->48978 48993 3f7546 48977->48993 49060 40e4a9 48977->49060 48978->48993 49067 41347d 48978->49067 48981 3f75e8 48981->48993 49099 3f2b11 48981->49099 48985 3f3886 5 API calls 48987 3f7727 48985->48987 48989 3f7735 48987->48989 49118 3f367f GetProcessHeap RtlFreeHeap GetLastError 48987->49118 48992 3f7743 48989->48992 49119 3f367f GetProcessHeap RtlFreeHeap GetLastError 48989->49119 48990 3f7659 48990->48993 49107 44bf20 48990->49107 48993->48974 48997 40a5e0 48996->48997 49120 409fd1 48997->49120 49000 3f2eaf 52 API calls 49001 40a634 49000->49001 49002 40a6a5 49001->49002 49004 40a700 49001->49004 49027 40a660 49001->49027 49167 44b350 73 API calls 49001->49167 49002->49004 49011 3f2eaf 52 API calls 49002->49011 49003 40a7f7 49006 40a80f 49003->49006 49129 3fa7ad 49003->49129 49004->49003 49024 40a738 49004->49024 49004->49027 49007 40a8c1 49006->49007 49018 40a827 49006->49018 49176 44ac92 GetProcessHeap RtlFreeHeap GetLastError EnterCriticalSection LeaveCriticalSection 49007->49176 49008 40a99c 49014 3f3886 5 API calls 49008->49014 49010 40a744 Sleep 49010->49024 49016 40a6cd 49011->49016 49017 3f7540 49014->49017 49015 44b0e2 125 API calls 49015->49024 49016->49004 49020 3f2eaf 52 API calls 49016->49020 49016->49027 49017->48993 49042 3f4456 SetLastError GetModuleFileNameW 49017->49042 49019 40a896 49018->49019 49022 40a83b 49018->49022 49175 40a07c 74 API calls 49019->49175 49020->49004 49170 3f4601 49022->49170 49023 40a785 49038 40a79c 49023->49038 49168 44ac92 GetProcessHeap RtlFreeHeap GetLastError EnterCriticalSection LeaveCriticalSection 49023->49168 49024->49010 49024->49015 49024->49023 49025 40a847 49025->49027 49025->49038 49132 44b0e2 EnterCriticalSection 49025->49132 49027->49008 49177 3f367f GetProcessHeap RtlFreeHeap GetLastError 49027->49177 49030 40a92a 49033 3f2eaf 52 API calls 49030->49033 49039 40a955 49030->49039 49031 40a791 49031->49038 49169 41d2ec 56 API calls 49031->49169 49033->49039 49034 3f2eaf 52 API calls 49037 40a8fd 49034->49037 49040 3f2eaf 52 API calls 49037->49040 49038->49027 49038->49030 49038->49034 49039->49027 49164 3fb89c 49039->49164 49040->49030 49043 3f44be 49042->49043 49044 3f4484 GetLastError 49042->49044 49045 3f4559 49043->49045 49046 3f44c9 GetLastError 49043->49046 49056 3f4490 49044->49056 49047 3f29c8 52 API calls 49045->49047 49046->49045 49048 3f44d8 49046->49048 49049 3f44e3 49047->49049 49050 3f37f3 2 API calls 49048->49050 49051 3f4508 SetLastError 49049->49051 49053 3f4502 49049->49053 49049->49056 49050->49049 49052 3f450f GetModuleFileNameW 49051->49052 49054 3f4525 GetLastError 49052->49054 49055 3f45b4 GetLastError 49052->49055 49053->49051 49054->49056 49058 3f4534 49054->49058 49059 3f4554 49055->49059 49056->48977 49057 3f29c8 52 API calls 49057->49058 49058->49052 49058->49057 49058->49059 49059->49056 49061 3f4456 60 API calls 49060->49061 49062 40e4bd 49061->49062 49064 40e4c3 49062->49064 49430 40cc1b 49062->49430 49065 40e529 49064->49065 49449 3f367f GetProcessHeap RtlFreeHeap GetLastError 49064->49449 49065->48978 49068 3f2acf 56 API calls 49067->49068 49069 4134a2 49068->49069 49072 4134ab 49069->49072 49510 412ad9 GetCurrentProcess GetCurrentProcess DuplicateHandle 49069->49510 49071 4134d1 49071->49072 49515 412bbd 49071->49515 49072->48981 49074 41350e 49074->49072 49521 412c8f 56 API calls 49074->49521 49076 4135a3 49076->49072 49524 411c8a 52 API calls 49076->49524 49077 413539 49077->49072 49077->49076 49522 3f29f3 56 API calls 49077->49522 49079 4135cf 49079->49072 49082 413623 49079->49082 49083 4135f4 49079->49083 49081 41357a 49081->49072 49523 3f146c 52 API calls 49081->49523 49526 3f29dc 52 API calls 49082->49526 49084 413606 49083->49084 49525 3f29dc 52 API calls 49083->49525 49084->49072 49088 413660 49084->49088 49527 3f29dc 52 API calls 49084->49527 49088->49072 49089 4136b6 49088->49089 49528 3f29dc 52 API calls 49088->49528 49089->49072 49092 4136fd 49089->49092 49530 3f29f3 56 API calls 49089->49530 49092->49072 49093 413733 49092->49093 49531 3f29f3 56 API calls 49092->49531 49093->49072 49532 411d8a 56 API calls 49093->49532 49094 413690 49094->49072 49529 3f146c 52 API calls 49094->49529 49536 3f2afa 49099->49536 49102 4137dc 49104 4137f5 _memcpy_s 49102->49104 49103 413844 CreateProcessW 49105 41384a GetLastError 49103->49105 49106 413856 49103->49106 49104->49103 49105->49106 49106->48990 49539 3f174a WaitForSingleObject 49107->49539 49109 44bf2f 49110 44bf66 GetExitCodeProcess 49109->49110 49112 44bf42 49109->49112 49111 44bf76 GetLastError 49110->49111 49110->49112 49111->49112 49112->48993 49543 3f38a9 49113->49543 49115 3f3892 49116 3f38a2 49115->49116 49547 3f367f GetProcessHeap RtlFreeHeap GetLastError 49115->49547 49116->48985 49118->48989 49119->48992 49121 44cba8 RegOpenKeyExW 49120->49121 49122 409ff7 49121->49122 49128 40a00c 49122->49128 49178 44cd94 58 API calls 49122->49178 49124 40a069 49126 40a078 49124->49126 49127 40a06f RegCloseKey 49124->49127 49126->49000 49126->49001 49127->49126 49128->49124 49179 3f367f GetProcessHeap RtlFreeHeap GetLastError 49128->49179 49180 3f83d7 EnterCriticalSection 49129->49180 49131 3fa7c5 49131->49006 49133 44b104 49132->49133 49134 44b13d 49132->49134 49133->49134 49136 44b109 49133->49136 49135 3f3db5 52 API calls 49134->49135 49141 44b14c 49135->49141 49234 3f3ec2 49136->49234 49138 44b122 49139 44b295 49138->49139 49140 44b29a 49138->49140 49142 44b12c 49138->49142 49282 44af11 90 API calls _ValidateLocalCookies 49139->49282 49144 44b2b8 49140->49144 49265 44b3f2 EnterCriticalSection 49140->49265 49141->49142 49150 44b17e 49141->49150 49268 3f417b 60 API calls 49141->49268 49145 44b2f4 LeaveCriticalSection 49142->49145 49144->49145 49153 3f2eaf 52 API calls 49144->49153 49148 44b305 49145->49148 49149 44b30d 49145->49149 49284 3f367f GetProcessHeap RtlFreeHeap GetLastError 49148->49284 49155 40a885 49149->49155 49285 3f367f GetProcessHeap RtlFreeHeap GetLastError 49149->49285 49150->49142 49152 3f4601 52 API calls 49150->49152 49151 44b2a9 49151->49144 49283 3f367f GetProcessHeap RtlFreeHeap GetLastError 49151->49283 49156 44b1b1 49152->49156 49153->49142 49155->49038 49174 44ac92 GetProcessHeap RtlFreeHeap GetLastError EnterCriticalSection LeaveCriticalSection 49155->49174 49156->49142 49269 3f6305 CreateDirectoryW 49156->49269 49160 44b1d4 49160->49142 49161 44b234 GetLastError 49160->49161 49163 44b240 49160->49163 49161->49163 49162 44b27f SetFilePointer 49162->49138 49163->49138 49163->49142 49163->49162 49300 3fa0d7 EnterCriticalSection 49164->49300 49167->49002 49168->49031 49169->49038 49171 3f4614 49170->49171 49173 3f4653 49170->49173 49172 3f2eaf 52 API calls 49171->49172 49171->49173 49172->49173 49173->49025 49174->49038 49175->49025 49176->49038 49177->49008 49178->49128 49179->49124 49181 3f8417 49180->49181 49182 3f29c8 52 API calls 49181->49182 49219 3f8420 49181->49219 49214 3f8452 49182->49214 49183 3f8a0e LeaveCriticalSection 49184 3f8a57 49183->49184 49196 3f8a1e 49183->49196 49188 3f8a6a 49184->49188 49189 3f8a88 49184->49189 49185 3f8a4b 49187 3f55c9 3 API calls 49185->49187 49186 3f8682 49227 3fb957 52 API calls 49186->49227 49187->49184 49191 3f8a78 49188->49191 49232 3f367f GetProcessHeap RtlFreeHeap GetLastError 49188->49232 49192 3f3886 5 API calls 49189->49192 49197 3f8a86 49191->49197 49233 3f367f GetProcessHeap RtlFreeHeap GetLastError 49191->49233 49199 3f8a90 49192->49199 49193 3f86a5 49193->49131 49194 3f87a4 49228 3fb957 52 API calls 49194->49228 49196->49185 49198 3f3886 5 API calls 49196->49198 49231 3f367f GetProcessHeap RtlFreeHeap GetLastError 49196->49231 49197->49131 49198->49196 49203 3f3886 5 API calls 49199->49203 49204 3f8a98 49203->49204 49205 3f3886 5 API calls 49204->49205 49205->49197 49206 3fb957 52 API calls 49206->49214 49211 3fb99a 52 API calls 49211->49214 49212 3f8698 49212->49193 49212->49219 49229 3fb938 52 API calls 49212->49229 49214->49186 49214->49194 49214->49206 49214->49211 49216 3f2eaf 52 API calls 49214->49216 49214->49219 49221 3f56c2 GetProcessHeap HeapReAlloc 49214->49221 49222 3f540b GetProcessHeap RtlAllocateHeap 49214->49222 49223 3fb4f2 CompareStringW GetLastError EnterCriticalSection LeaveCriticalSection 49214->49223 49224 3f8b6f 64 API calls 49214->49224 49225 3f3089 52 API calls 49214->49225 49226 3fb979 56 API calls 49214->49226 49216->49214 49218 3f8963 49230 3fb99a 52 API calls 49218->49230 49219->49183 49221->49214 49222->49214 49223->49214 49224->49214 49225->49214 49226->49214 49227->49212 49228->49212 49229->49218 49230->49219 49231->49196 49232->49191 49233->49197 49235 3f3f4d 49234->49235 49236 3f3f14 49234->49236 49237 3f4dd8 71 API calls 49235->49237 49236->49235 49238 3f3f19 49236->49238 49239 3f3f57 49237->49239 49240 3f3dce 52 API calls 49238->49240 49242 3f3dce 52 API calls 49239->49242 49251 3f3f2c 49239->49251 49241 3f3f26 49240->49241 49243 3f4601 52 API calls 49241->49243 49241->49251 49242->49241 49244 3f3fa2 49243->49244 49246 3f6305 5 API calls 49244->49246 49252 3f3faf 49244->49252 49245 3f413e 49249 3f414c 49245->49249 49287 3f367f GetProcessHeap RtlFreeHeap GetLastError 49245->49287 49246->49252 49247 3f3feb GetLocalTime 49247->49252 49250 3f415a 49249->49250 49288 3f367f GetProcessHeap RtlFreeHeap GetLastError 49249->49288 49255 3f4168 49250->49255 49289 3f367f GetProcessHeap RtlFreeHeap GetLastError 49250->49289 49251->49245 49286 3f367f GetProcessHeap RtlFreeHeap GetLastError 49251->49286 49252->49247 49252->49251 49256 3f2acf 56 API calls 49252->49256 49260 3f40ba 49252->49260 49261 3f4071 GetLastError 49252->49261 49262 3f4083 Sleep 49252->49262 49258 4367e6 _ValidateLocalCookies 5 API calls 49255->49258 49256->49252 49259 3f4177 49258->49259 49259->49138 49260->49251 49264 3f2eaf 52 API calls 49260->49264 49261->49252 49261->49262 49262->49252 49263 3f4093 49262->49263 49263->49252 49264->49251 49290 44aabf 49265->49290 49267 44b40b LeaveCriticalSection 49267->49151 49268->49150 49270 3f6321 GetLastError 49269->49270 49279 3f632e 49269->49279 49271 3f6335 49270->49271 49270->49279 49272 3f633a 49271->49272 49275 3f6346 49271->49275 49299 3f6414 GetFileAttributesW 49272->49299 49274 3f6342 49274->49275 49274->49279 49276 3f6305 GetFileAttributesW 49275->49276 49275->49279 49277 3f6385 49276->49277 49278 3f63ad CreateDirectoryW 49277->49278 49277->49279 49280 3f63cb 49278->49280 49281 3f63bb GetLastError 49278->49281 49279->49160 49280->49279 49281->49280 49282->49140 49283->49144 49284->49149 49285->49155 49286->49245 49287->49249 49288->49250 49289->49255 49291 44aae2 49290->49291 49292 44ab1e 49291->49292 49296 44ab4b 49291->49296 49297 44aae8 49291->49297 49298 3f3145 6 API calls 49292->49298 49293 44ab50 WriteFile 49295 44ab6b GetLastError 49293->49295 49293->49296 49295->49296 49296->49293 49296->49297 49297->49267 49298->49297 49299->49274 49322 3f8306 49300->49322 49302 3fa0fa 49303 3fa100 49302->49303 49313 3fa127 49302->49313 49330 3f9f0a 49302->49330 49305 3fa2ac LeaveCriticalSection 49303->49305 49307 3fa2cb 49305->49307 49308 3fa2b7 49305->49308 49307->49027 49308->49307 49312 3fa2d7 73 API calls 49308->49312 49309 3fa1c5 49311 3fa2d7 73 API calls 49309->49311 49316 3fa1fe 49309->49316 49310 3fa21a 49310->49309 49314 3fa203 49310->49314 49311->49316 49312->49307 49313->49303 49313->49309 49313->49310 49313->49314 49315 3fa1e4 49313->49315 49321 3fa270 49313->49321 49327 3fa2d7 49314->49327 49315->49309 49315->49316 49318 3fa1ef 49315->49318 49316->49321 49339 3f8119 49316->49339 49320 3fa2d7 73 API calls 49318->49320 49320->49316 49342 41dbcf 52 API calls 49321->49342 49323 3f8320 CompareStringW 49322->49323 49326 3f837d 49322->49326 49324 3f834d 49323->49324 49324->49323 49325 3f8371 GetLastError 49324->49325 49324->49326 49325->49326 49326->49302 49343 44b3c8 49327->49343 49332 3f9f26 49330->49332 49338 3f9fa3 _memcpy_s 49330->49338 49331 3f2eaf 52 API calls 49336 3f9f35 49331->49336 49333 3fa092 49332->49333 49335 3f9f67 49332->49335 49332->49336 49418 3f540b GetProcessHeap RtlAllocateHeap 49333->49418 49335->49336 49417 3f56c2 GetProcessHeap HeapReAlloc 49335->49417 49336->49313 49338->49331 49338->49336 49419 44b07f 49339->49419 49342->49303 49344 44b3d3 49343->49344 49346 3fa2e9 49344->49346 49347 44a9ff 49344->49347 49346->49316 49358 3f2ec6 49347->49358 49349 44aa1c 49350 3f2ae3 56 API calls 49349->49350 49352 44aa22 49349->49352 49351 44aa4f 49350->49351 49351->49352 49373 44a805 49351->49373 49354 44aaaa 49352->49354 49393 3f367f GetProcessHeap RtlFreeHeap GetLastError 49352->49393 49356 44aab7 49354->49356 49394 3f367f GetProcessHeap RtlFreeHeap GetLastError 49354->49394 49356->49346 49359 3f2ede 49358->49359 49360 3f2ee9 49358->49360 49361 3f37f3 2 API calls 49359->49361 49362 3f2f14 MultiByteToWideChar 49360->49362 49363 3f2f77 49360->49363 49372 3f2eef 49360->49372 49361->49360 49362->49363 49364 3f2f2b GetLastError 49362->49364 49365 3f2fcd 49363->49365 49366 3f2fc4 49363->49366 49371 3f2fcb 49363->49371 49363->49372 49364->49372 49396 3f540b GetProcessHeap RtlAllocateHeap 49365->49396 49395 3f56c2 GetProcessHeap HeapReAlloc 49366->49395 49367 3f3018 MultiByteToWideChar 49370 3f3031 GetLastError 49367->49370 49367->49372 49370->49372 49371->49367 49371->49372 49372->49349 49374 44a9ed 49373->49374 49375 44a82e EnterCriticalSection 49373->49375 49376 4367e6 _ValidateLocalCookies 5 API calls 49374->49376 49377 44a935 49375->49377 49378 44a842 GetCurrentProcessId GetCurrentThreadId GetLocalTime 49375->49378 49379 44a9fb 49376->49379 49397 3f327c 49377->49397 49383 44a87f 49378->49383 49379->49352 49381 44a94f 49382 44a923 49381->49382 49384 44b3f2 10 API calls 49381->49384 49388 44a9c6 LeaveCriticalSection 49382->49388 49385 3f2acf 56 API calls 49383->49385 49384->49382 49386 44a90a 49385->49386 49386->49377 49387 44a914 49386->49387 49387->49382 49389 44a9d7 49388->49389 49390 44a9df 49388->49390 49412 3f367f GetProcessHeap RtlFreeHeap GetLastError 49389->49412 49390->49374 49413 3f367f GetProcessHeap RtlFreeHeap GetLastError 49390->49413 49393->49354 49394->49356 49395->49371 49396->49371 49398 3f32a1 49397->49398 49399 3f3296 49397->49399 49400 3f32ce WideCharToMultiByte 49398->49400 49403 3f3333 49398->49403 49411 3f32a7 49398->49411 49414 3f3840 GetProcessHeap HeapSize 49399->49414 49402 3f32e7 GetLastError 49400->49402 49400->49403 49402->49411 49405 3f3389 49403->49405 49406 3f3380 49403->49406 49410 3f3387 49403->49410 49403->49411 49404 3f33d4 WideCharToMultiByte 49407 3f33f0 GetLastError 49404->49407 49404->49411 49416 3f540b GetProcessHeap RtlAllocateHeap 49405->49416 49415 3f56c2 GetProcessHeap HeapReAlloc 49406->49415 49407->49411 49410->49404 49410->49411 49411->49381 49412->49390 49413->49374 49414->49398 49415->49410 49416->49410 49417->49338 49418->49338 49420 44b08a 49419->49420 49421 3f812d 49420->49421 49423 44a747 FormatMessageW 49420->49423 49421->49321 49424 44a772 GetLastError 49423->49424 49425 44a77e 49423->49425 49424->49425 49426 44a78b 49425->49426 49427 44a805 69 API calls 49425->49427 49428 44a7f5 LocalFree 49426->49428 49429 44a7fe 49426->49429 49427->49426 49428->49429 49429->49421 49450 40ed3b 49430->49450 49433 452127 73 API calls 49434 40cc66 49433->49434 49435 3f6305 5 API calls 49434->49435 49447 40cc40 49434->49447 49436 40cc8c 49435->49436 49442 452127 73 API calls 49436->49442 49436->49447 49437 40cd53 49438 40cd60 49437->49438 49490 3f367f GetProcessHeap RtlFreeHeap GetLastError 49437->49490 49441 40cd6d 49438->49441 49491 3f367f GetProcessHeap RtlFreeHeap GetLastError 49438->49491 49441->49064 49444 40ccb8 49442->49444 49444->49447 49462 40cd75 49444->49462 49447->49437 49489 3f367f GetProcessHeap RtlFreeHeap GetLastError 49447->49489 49448 3f2eaf 52 API calls 49448->49447 49449->49065 49451 40ede9 DecryptFileW 49450->49451 49460 40ed56 49450->49460 49452 40edfd 49451->49452 49457 40edb7 49451->49457 49455 3f2eaf 52 API calls 49452->49455 49453 40cc3a 49453->49433 49453->49447 49454 452127 73 API calls 49454->49460 49455->49457 49457->49453 49493 3f367f GetProcessHeap RtlFreeHeap GetLastError 49457->49493 49459 3f6305 5 API calls 49459->49460 49460->49454 49460->49459 49461 40eda1 49460->49461 49492 44acf6 72 API calls _ValidateLocalCookies 49460->49492 49461->49451 49461->49457 49463 40cdc1 49462->49463 49464 40ce17 49463->49464 49465 40cdc8 GetLastError 49463->49465 49494 4539dd SetFilePointerEx 49464->49494 49466 40cdd4 49465->49466 49474 4367e6 _ValidateLocalCookies 5 API calls 49466->49474 49468 40ce21 49468->49466 49497 452b2e 49468->49497 49471 40ce9a SetFilePointerEx 49472 40cef2 49471->49472 49473 40ceab GetLastError 49471->49473 49505 453f70 49472->49505 49473->49466 49476 40cce3 49474->49476 49476->49447 49476->49448 49477 40cefe 49477->49466 49478 40cf1b SetFilePointerEx 49477->49478 49479 40cf74 49478->49479 49480 40cf2e GetLastError 49478->49480 49481 453f70 2 API calls 49479->49481 49480->49466 49482 40cf80 49481->49482 49482->49466 49483 453f70 2 API calls 49482->49483 49484 40cfa9 49483->49484 49484->49466 49485 40cfc3 SetFilePointerEx 49484->49485 49486 40cfd6 GetLastError 49485->49486 49487 40cfe2 49485->49487 49486->49487 49488 453f70 2 API calls 49487->49488 49488->49466 49489->49437 49490->49438 49491->49441 49492->49460 49493->49453 49495 4539ff GetLastError 49494->49495 49496 453a0b 49494->49496 49495->49496 49496->49468 49501 452b3b ___scrt_uninitialize_crt 49497->49501 49498 452ba7 ReadFile 49499 452c39 GetLastError 49498->49499 49498->49501 49502 452c12 49499->49502 49500 453f70 2 API calls 49500->49501 49501->49498 49501->49500 49501->49502 49503 4367e6 _ValidateLocalCookies 5 API calls 49502->49503 49504 40ce5f 49503->49504 49504->49466 49504->49471 49506 453f85 WriteFile 49505->49506 49509 453fc0 49505->49509 49507 453f9f GetLastError 49506->49507 49508 453fab 49506->49508 49507->49508 49508->49506 49508->49509 49509->49477 49511 412b5c 49510->49511 49512 412b0e GetLastError 49510->49512 49533 3f2a55 56 API calls 49511->49533 49514 412b1a 49512->49514 49514->49071 49516 412bf7 49515->49516 49520 412c1e 49516->49520 49534 3f2a55 56 API calls 49516->49534 49518 412c15 49518->49520 49535 3f29f3 56 API calls 49518->49535 49520->49074 49521->49077 49522->49081 49523->49076 49524->49079 49525->49084 49526->49084 49527->49088 49528->49094 49529->49089 49530->49092 49531->49093 49532->49072 49533->49514 49534->49518 49535->49520 49537 3f1ae9 56 API calls 49536->49537 49538 3f2b0d 49537->49538 49538->48993 49538->49102 49540 3f176a 49539->49540 49542 3f1763 49539->49542 49541 3f1795 GetLastError 49540->49541 49540->49542 49541->49542 49542->49109 49544 3f38bb 49543->49544 49546 3f38c5 49543->49546 49548 3f593a GetProcessHeap HeapSize 49544->49548 49546->49115 49547->49116 49548->49546 50630 41ce90 30 API calls 50631 420090 95 API calls 50632 439890 14 API calls ___std_exception_copy 50634 41fa97 54 API calls 50636 3f9ae0 60 API calls _ValidateLocalCookies 49635 41e0a0 49636 41e0cd 49635->49636 49637 41e14a SetFilePointerEx 49636->49637 49639 41e0d7 49636->49639 49638 41e162 GetLastError 49637->49638 49637->49639 49638->49639 50639 4332af 120 API calls 50640 3fd6d3 103 API calls 50644 44b0b7 InitializeCriticalSection 50374 3f7cc6 50375 3f7ccb 50374->50375 50376 3f4456 60 API calls 50375->50376 50377 3f7cfd 50376->50377 50378 3f8119 72 API calls 50377->50378 50379 3f7d31 50378->50379 50380 3f7d48 50379->50380 50439 3f367f GetProcessHeap RtlFreeHeap GetLastError 50379->50439 50384 413fe2 50380->50384 50385 414005 _memcpy_s 50384->50385 50440 3faa6f InitializeCriticalSection 50385->50440 50392 414455 50469 3feaf6 50392->50469 50397 41445e 50398 41446c 50397->50398 50482 3f367f GetProcessHeap RtlFreeHeap GetLastError 50397->50482 50399 41447a 50398->50399 50483 3f367f GetProcessHeap RtlFreeHeap GetLastError 50398->50483 50403 3f7d5b 50399->50403 50404 3f55c9 3 API calls 50399->50404 50404->50403 50405 4140b9 50417 414020 50405->50417 50473 412372 59 API calls 50405->50473 50407 414112 50408 3f8119 72 API calls 50407->50408 50407->50417 50409 414145 50408->50409 50410 414152 50409->50410 50411 41418c 50409->50411 50474 44acf6 72 API calls _ValidateLocalCookies 50410->50474 50475 414491 60 API calls 50411->50475 50414 414192 50414->50417 50476 3fb861 80 API calls 50414->50476 50416 4141c5 50416->50417 50477 3fb861 80 API calls 50416->50477 50417->50392 50481 3f367f GetProcessHeap RtlFreeHeap GetLastError 50417->50481 50419 414246 50419->50417 50421 4142dd 50419->50421 50424 3fb89c 80 API calls 50419->50424 50420 414207 50420->50417 50420->50419 50422 3fb89c 80 API calls 50420->50422 50421->50417 50423 414314 50421->50423 50425 3fb89c 80 API calls 50421->50425 50422->50419 50423->50417 50428 414361 50423->50428 50478 40f752 110 API calls 50423->50478 50426 414282 50424->50426 50425->50423 50426->50417 50429 3f4601 52 API calls 50426->50429 50428->50417 50479 402b07 95 API calls 50428->50479 50430 4142ae 50429->50430 50430->50417 50432 3fb89c 80 API calls 50430->50432 50432->50421 50433 4143a5 50433->50417 50480 3ff4db 89 API calls 50433->50480 50435 4143d1 50435->50417 50436 3f3db5 52 API calls 50435->50436 50437 4143fb 50436->50437 50437->50417 50438 3f2eaf 52 API calls 50437->50438 50438->50417 50439->50380 50441 3fb448 50440->50441 50443 3fb483 50441->50443 50445 3fb4a3 50441->50445 50484 3f813a 50441->50484 50443->50445 50489 3f8218 54 API calls 50443->50489 50446 4367e6 _ValidateLocalCookies 5 API calls 50445->50446 50447 3fb4ee 50446->50447 50447->50417 50448 3fed7b 50447->50448 50449 3fed9b _memcpy_s 50448->50449 50450 3f4456 60 API calls 50449->50450 50454 3fedca 50449->50454 50451 3fede8 50450->50451 50451->50454 50490 3febdb 50451->50490 50453 3fee48 50453->50417 50456 3febba 50453->50456 50454->50453 50501 3f367f GetProcessHeap RtlFreeHeap GetLastError 50454->50501 50457 3febca 50456->50457 50458 3febd3 50456->50458 50529 41ee35 8 API calls 50457->50529 50458->50417 50460 3fee6f 50458->50460 50461 3fee7f 50460->50461 50462 3fee8b 50460->50462 50461->50417 50464 433ce0 50461->50464 50530 41f028 8 API calls 50462->50530 50531 45061b VariantInit 50464->50531 50468 433cfe 50468->50405 50470 3feb08 50469->50470 50472 3feb0e _memcpy_s 50469->50472 50549 41ed3e 7 API calls 50470->50549 50472->50397 50473->50407 50474->50417 50475->50414 50476->50416 50477->50420 50478->50428 50479->50433 50480->50435 50481->50392 50482->50398 50483->50399 50485 3f8306 2 API calls 50484->50485 50486 3f8154 50485->50486 50487 3f815a 50486->50487 50488 3f9f0a 52 API calls 50486->50488 50487->50441 50488->50487 50489->50443 50491 3fec0d 50490->50491 50492 3fec80 GetCurrentProcess GetCurrentProcess DuplicateHandle 50490->50492 50493 3fecda SetFilePointerEx 50491->50493 50495 3fec31 GetLastError 50491->50495 50492->50493 50494 3feca0 GetLastError 50492->50494 50498 3fecfb GetLastError 50493->50498 50499 3fed3c 50493->50499 50497 3fec3d 50494->50497 50495->50497 50497->50454 50498->50497 50499->50497 50502 41ee8b 50499->50502 50501->50453 50503 3f2eaf 52 API calls 50502->50503 50504 41eea7 50503->50504 50505 41eec4 CreateEventW 50504->50505 50513 41eead 50504->50513 50506 41eed6 GetLastError 50505->50506 50507 41ef1a CreateEventW 50505->50507 50506->50513 50508 41ef63 CreateThread 50507->50508 50509 41ef2c GetLastError 50507->50509 50510 41efb4 50508->50510 50511 41ef7a GetLastError 50508->50511 50515 41e800 CoInitializeEx 50508->50515 50509->50513 50514 41ec24 6 API calls 50510->50514 50511->50513 50513->50497 50514->50513 50516 41e831 50515->50516 50519 41e855 50515->50519 50517 4367e6 _ValidateLocalCookies 5 API calls 50516->50517 50518 41eae2 50517->50518 50520 41e9ca SetEvent 50519->50520 50521 41e8a5 50519->50521 50522 41ea20 50520->50522 50523 41e9d7 GetLastError 50520->50523 50525 41eacd CoUninitialize 50521->50525 50524 3f174a 2 API calls 50522->50524 50523->50521 50526 41ea2a 50524->50526 50525->50516 50526->50521 50527 41ea49 ResetEvent 50526->50527 50527->50521 50528 41ea56 GetLastError 50527->50528 50528->50521 50529->50458 50530->50461 50537 44fe01 GetModuleHandleA 50531->50537 50533 450662 50534 4367e6 _ValidateLocalCookies 5 API calls 50533->50534 50535 433cf8 50534->50535 50535->50468 50536 43396f 201 API calls 50535->50536 50536->50468 50538 44fea6 GetProcAddress 50537->50538 50539 44fe2b GetLastError 50537->50539 50540 44ff16 CoCreateInstance 50538->50540 50541 44feb6 GetProcAddress GetProcAddress GetProcAddress 50538->50541 50544 44fe37 50539->50544 50542 44ff58 50540->50542 50547 44ff37 50540->50547 50546 44fee8 50541->50546 50542->50547 50548 45003b SysAllocString SysFreeString 50542->50548 50544->50533 50545 450032 ExitProcess 50546->50540 50547->50544 50547->50545 50548->50547 50549->50472 50649 3f8f30 54 API calls _ValidateLocalCookies 50650 437150 51 API calls _unexpected 50651 439350 6 API calls 4 library calls 50653 442f50 FreeLibrary 50654 4090f5 9 API calls _ValidateLocalCookies 49613 3f1121 49614 3f113c 49613->49614 49623 3f79d1 49614->49623 49618 3f114d 49619 3f11a5 49618->49619 49629 3f367f GetProcessHeap RtlFreeHeap GetLastError 49618->49629 49621 4367e6 _ValidateLocalCookies 5 API calls 49619->49621 49622 3f11bb 49621->49622 49624 3f79e7 lstrlenW 49623->49624 49626 3f79fc 49623->49626 49624->49626 49625 3f7a15 CompareStringW 49627 3f1144 49625->49627 49626->49625 49626->49627 49628 3f1651 HeapSetInformation 49627->49628 49628->49618 49629->49619 50656 3f9720 16 API calls 49631 3f7b1f 178 API calls _ValidateLocalCookies 50657 3f711f 371 API calls 50258 45c16b 16 API calls ___delayLoadHelper2@8 50661 41f971 76 API calls 50662 41f170 117 API calls 50666 40757c 62 API calls 48214 3f677f InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 48215 3f67e5 48214->48215 48216 3f67f1 GetCurrentProcess 48215->48216 48225 44b796 OpenProcessToken 48216->48225 48218 3f6804 48230 41469c 48218->48230 48220 3f681e 48224 3f6824 48220->48224 48296 3fdb61 48220->48296 48226 44b7be GetLastError 48225->48226 48227 44b7f8 GetTokenInformation 48225->48227 48229 44b7ca 48226->48229 48228 44b820 GetLastError 48227->48228 48227->48229 48228->48229 48229->48218 48262 414910 48230->48262 48279 4146d7 48230->48279 48231 4146fb CompareStringW 48232 41572b CompareStringW 48231->48232 48233 41471b CompareStringW 48231->48233 48232->48279 48233->48232 48234 41473e CompareStringW 48233->48234 48234->48232 48236 414761 CompareStringW 48234->48236 48235 3f5573 6 API calls 48235->48279 48237 414784 CompareStringW 48236->48237 48236->48279 48238 4147a7 CompareStringW 48237->48238 48237->48279 48239 4147ca CompareStringW 48238->48239 48238->48279 48240 4147ed CompareStringW 48239->48240 48239->48279 48241 414810 CompareStringW 48240->48241 48240->48279 48242 414833 CompareStringW 48241->48242 48241->48279 48243 414856 CompareStringW 48242->48243 48242->48279 48244 414884 CompareStringW 48243->48244 48243->48279 48245 41495d CompareStringW 48244->48245 48244->48279 48246 41499a CompareStringW 48245->48246 48245->48279 48247 4149d8 CompareStringW 48246->48247 48246->48279 48248 414a16 CompareStringW 48247->48248 48247->48279 48249 414a54 CompareStringW 48248->48249 48248->48279 48250 414a77 CompareStringW 48249->48250 48249->48279 48251 414a9a CompareStringW 48250->48251 48250->48279 48252 414ac5 CompareStringW 48251->48252 48251->48279 48253 414afb CompareStringW 48252->48253 48252->48279 48254 414b28 CompareStringW 48253->48254 48253->48279 48255 414b89 CompareStringW 48254->48255 48254->48279 48256 414bea CompareStringW 48255->48256 48255->48279 48257 414c3d CompareStringW 48256->48257 48256->48279 48259 414c90 lstrlenW CompareStringW 48257->48259 48257->48279 48258 3f417b 60 API calls 48258->48279 48260 414d58 CompareStringW 48259->48260 48261 414cba lstrlenW 48259->48261 48263 414e56 lstrlenW lstrlenW CompareStringW 48260->48263 48260->48279 48261->48279 48262->48220 48264 414f7a lstrlenW lstrlenW CompareStringW 48263->48264 48263->48279 48265 415010 CompareStringW 48264->48265 48266 414faa lstrlenW 48264->48266 48267 4150a6 CompareStringW 48265->48267 48265->48279 48266->48279 48269 4150e9 CompareStringW 48267->48269 48267->48279 48268 414ef6 lstrlenW 48268->48279 48271 41510a CompareStringW 48269->48271 48269->48279 48270 3f8119 72 API calls 48270->48279 48272 41512d CompareStringW 48271->48272 48271->48279 48274 415150 CompareStringW 48272->48274 48272->48279 48273 4129f3 52 API calls 48273->48279 48275 415173 CompareStringW 48274->48275 48274->48279 48276 415196 CompareStringW 48275->48276 48275->48279 48277 4151bc CompareStringW 48276->48277 48276->48279 48278 4151e2 CompareStringW 48277->48278 48277->48279 48278->48279 48280 415210 CompareStringW 48278->48280 48279->48231 48279->48232 48279->48235 48279->48258 48279->48262 48279->48268 48279->48269 48279->48270 48279->48273 48279->48280 48282 415320 lstrlenW lstrlenW CompareStringW 48279->48282 48285 4153c8 lstrlenW lstrlenW CompareStringW 48279->48285 48290 3f2eaf 52 API calls 48279->48290 48294 41567a lstrlenW lstrlenW CompareStringW 48279->48294 48280->48279 48281 41527b lstrlenW lstrlenW CompareStringW 48280->48281 48281->48282 48283 4152ab lstrlenW 48281->48283 48284 415350 lstrlenW 48282->48284 48282->48285 48283->48279 48284->48279 48286 415463 lstrlenW lstrlenW CompareStringW 48285->48286 48287 4153f8 lstrlenW 48285->48287 48288 415522 lstrlenW lstrlenW CompareStringW 48286->48288 48289 415497 lstrlenW 48286->48289 48287->48279 48291 415552 lstrlenW 48288->48291 48292 4155cb lstrlenW lstrlenW CompareStringW 48288->48292 48295 4154b7 48289->48295 48290->48279 48291->48295 48293 4155fb lstrlenW 48292->48293 48292->48294 48293->48279 48294->48279 48295->48288 48295->48292 48297 3fdb9a _memcpy_s 48296->48297 48298 3fdc18 SetFilePointerEx 48297->48298 48299 3fdbd8 GetLastError 48297->48299 48301 3fdc74 ReadFile 48298->48301 48302 3fdc34 GetLastError 48298->48302 48325 3fdbe4 48299->48325 48303 3fdcce 48301->48303 48304 3fdc8e GetLastError 48301->48304 48302->48325 48305 3fdcea SetFilePointerEx 48303->48305 48303->48325 48304->48325 48306 3fdd3e ReadFile 48305->48306 48307 3fdcfe GetLastError 48305->48307 48308 3fdd9b 48306->48308 48309 3fdd5b GetLastError 48306->48309 48307->48325 48310 3fddb8 SetFilePointerEx 48308->48310 48308->48325 48309->48325 48312 3fde1f ReadFile 48310->48312 48313 3fdddf GetLastError 48310->48313 48315 3fde7c ReadFile 48312->48315 48316 3fde3c GetLastError 48312->48316 48313->48325 48314 3f6847 48314->48224 48341 40f511 48314->48341 48317 3fded9 SetFilePointerEx 48315->48317 48318 3fde99 GetLastError 48315->48318 48316->48325 48319 3fdf38 ReadFile 48317->48319 48320 3fdef8 GetLastError 48317->48320 48318->48325 48321 3fdfbc GetLastError 48319->48321 48322 3fdf5c 48319->48322 48320->48325 48321->48325 48323 3fe00e 48322->48323 48324 3fdf96 ReadFile 48322->48324 48322->48325 48328 3fe0b2 48322->48328 48323->48325 48369 3f540b GetProcessHeap RtlAllocateHeap 48323->48369 48324->48321 48324->48322 48370 4367e6 48325->48370 48327 3fe054 48327->48325 48329 3fe08f SetFilePointerEx 48327->48329 48328->48325 48380 3f55c9 GetProcessHeap RtlFreeHeap 48328->48380 48330 3fe0ef ReadFile 48329->48330 48331 3fe0a6 GetLastError 48329->48331 48332 3fe114 GetLastError 48330->48332 48333 3fe14b 48330->48333 48331->48328 48335 3fe120 48332->48335 48333->48335 48377 453b63 GetFileSizeEx GetLastError 48333->48377 48335->48328 48337 3fe202 48378 3f540b GetProcessHeap RtlAllocateHeap 48337->48378 48339 3fe2aa _memcpy_s 48379 3fd84a GetModuleHandleW GetLastError 48339->48379 48384 45267a 48341->48384 48346 40f530 48348 40f74b 48346->48348 48444 3f367f GetProcessHeap RtlFreeHeap GetLastError 48346->48444 48348->48224 48349 40f597 48349->48346 48402 45672f 48349->48402 48352 40f636 48441 3f2eaf 48352->48441 48353 40f5ce 48353->48346 48353->48352 48356 40f61b 48353->48356 48357 40f5fb 48353->48357 48355 40f601 48355->48346 48414 451ec9 48355->48414 48356->48352 48440 44acf6 72 API calls _ValidateLocalCookies 48356->48440 48359 3f3cfd 52 API calls 48357->48359 48359->48355 48362 45267a 72 API calls 48363 40f6a9 48362->48363 48363->48346 48364 3f3db5 52 API calls 48363->48364 48365 40f6d9 48364->48365 48365->48346 48366 3f3cfd 52 API calls 48365->48366 48367 40f6fe 48366->48367 48367->48346 48427 40cb06 48367->48427 48369->48327 48371 4367ef IsProcessorFeaturePresent 48370->48371 48372 4367ee 48370->48372 48374 436b55 48371->48374 48372->48314 48383 436b18 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 48374->48383 48376 436c38 48376->48314 48377->48337 48378->48339 48379->48335 48381 3f55f0 48380->48381 48382 3f55e4 GetLastError 48380->48382 48381->48325 48382->48381 48383->48376 48385 4526b2 48384->48385 48393 45285b 48384->48393 48385->48393 48445 4529ea 48385->48445 48387 45289f 48389 4367e6 _ValidateLocalCookies 5 API calls 48387->48389 48392 40f52a 48389->48392 48392->48346 48394 3f3db5 48392->48394 48393->48387 48459 3f367f GetProcessHeap RtlFreeHeap GetLastError 48393->48459 48542 3f3dce 48394->48542 48396 3f3dca 48396->48346 48397 3f3cfd 48396->48397 48398 3f37f3 2 API calls 48397->48398 48399 3f3d1a 48398->48399 48401 3f3d20 48399->48401 48557 3f29dc 52 API calls 48399->48557 48401->48349 48558 4565ae 48402->48558 48405 456774 48407 4567ed 48405->48407 48408 4567fe 48405->48408 48410 4567f9 48405->48410 48407->48410 48568 3f367f GetProcessHeap RtlFreeHeap GetLastError 48407->48568 48411 3f2eaf 52 API calls 48408->48411 48409 4567d6 RegCloseKey 48409->48405 48410->48353 48411->48410 48413 456751 48413->48405 48413->48409 48415 451ee2 48414->48415 48423 451f01 48414->48423 48415->48423 48577 451cac 48415->48577 48418 451cac 73 API calls 48419 451f26 48418->48419 48420 451f3c CompareStringW 48419->48420 48419->48423 48421 451f53 GetLastError 48420->48421 48420->48423 48421->48423 48422 451fd2 48425 40f669 48422->48425 48596 3f367f GetProcessHeap RtlFreeHeap GetLastError 48422->48596 48423->48422 48595 3f367f GetProcessHeap RtlFreeHeap GetLastError 48423->48595 48425->48346 48425->48362 48603 3f4dd8 48427->48603 48429 40cb1a 48430 40cb20 48429->48430 48431 3f3cfd 52 API calls 48429->48431 48434 40cc14 48430->48434 48644 3f367f GetProcessHeap RtlFreeHeap GetLastError 48430->48644 48432 40cb4d 48431->48432 48432->48430 48617 40c930 48432->48617 48434->48346 48440->48352 48763 3f1d40 48441->48763 48443 3f2ec2 48443->48355 48444->48348 48460 3f1839 48445->48460 48447 452a07 48448 452a40 GetProcAddress 48447->48448 48451 452a11 48447->48451 48448->48451 48454 452a86 48448->48454 48449 452b17 48452 45284a 48449->48452 48453 452b1d FreeLibrary 48449->48453 48450 452b0e CoTaskMemFree 48450->48449 48451->48449 48451->48450 48452->48387 48452->48393 48458 4524d0 53 API calls _ValidateLocalCookies 48452->48458 48453->48452 48454->48451 48455 3f2eaf 52 API calls 48454->48455 48456 452ac4 48455->48456 48456->48451 48457 3f3cfd 52 API calls 48456->48457 48457->48451 48458->48393 48459->48387 48468 3f13da 48460->48468 48462 3f1844 48463 3f184c LoadLibraryExW 48462->48463 48464 3f18ab 48462->48464 48466 3f1866 GetLastError 48463->48466 48467 3f1872 48463->48467 48474 3f18c0 48464->48474 48466->48467 48467->48447 48469 3f146b 48468->48469 48470 3f13e7 GetModuleHandleW 48468->48470 48469->48462 48471 3f143e GetProcAddress GetProcAddress 48470->48471 48472 3f13f9 GetLastError 48470->48472 48471->48469 48473 3f1405 48472->48473 48473->48462 48484 3f48c2 48474->48484 48476 3f18d8 48483 3f18de 48476->48483 48500 3f2acf 48476->48500 48479 3f1937 LoadLibraryExW 48481 3f194c GetLastError 48479->48481 48479->48483 48480 3f19a7 48480->48467 48481->48483 48483->48480 48503 3f367f GetProcessHeap RtlFreeHeap GetLastError 48483->48503 48485 3f48d6 48484->48485 48486 3f4951 48484->48486 48504 3f37f3 48485->48504 48508 3f29c8 48486->48508 48489 3f48e1 48490 3f4901 GetSystemDirectoryW 48489->48490 48499 3f48e7 48489->48499 48491 3f497a 48490->48491 48492 3f4910 GetLastError 48490->48492 48493 3f49e4 48491->48493 48495 3f29c8 52 API calls 48491->48495 48492->48499 48494 3f3cfd 52 API calls 48493->48494 48493->48499 48494->48499 48496 3f4986 48495->48496 48497 3f499d GetSystemDirectoryW 48496->48497 48496->48499 48497->48493 48498 3f49aa GetLastError 48497->48498 48498->48499 48499->48476 48525 3f2ae3 48500->48525 48503->48480 48505 3f37ff 48504->48505 48507 3f380b 48504->48507 48511 3f593a GetProcessHeap HeapSize 48505->48511 48507->48489 48512 3f1c76 48508->48512 48510 3f29d8 48510->48489 48511->48507 48513 3f1cae 48512->48513 48520 3f1c88 48512->48520 48514 3f1cb9 48513->48514 48515 3f1d01 48513->48515 48517 3f1cf6 48514->48517 48518 3f1cc0 48514->48518 48522 3f540b GetProcessHeap RtlAllocateHeap 48515->48522 48524 3f56c2 GetProcessHeap HeapReAlloc 48517->48524 48523 3f5810 50 API calls _memcpy_s 48518->48523 48520->48510 48522->48520 48523->48520 48524->48520 48528 3f1ae9 48525->48528 48527 3f1910 48527->48479 48527->48483 48529 3f1b0c 48528->48529 48530 3f1b02 48528->48530 48531 3f1c76 52 API calls 48529->48531 48534 3f1b12 48529->48534 48536 3f1b87 48529->48536 48539 3f593a GetProcessHeap HeapSize 48530->48539 48531->48536 48534->48527 48535 3f1c76 52 API calls 48535->48536 48536->48534 48536->48535 48538 3f1bfd 48536->48538 48540 3f26b9 45 API calls __vsnwprintf_l 48536->48540 48538->48534 48538->48538 48541 3f367f GetProcessHeap RtlFreeHeap GetLastError 48538->48541 48539->48529 48540->48536 48541->48534 48543 3f3dde 48542->48543 48544 3f3e8a 48542->48544 48543->48544 48548 3f3de9 48543->48548 48545 3f2eaf 52 API calls 48544->48545 48555 3f3e11 48545->48555 48546 3f3e67 48547 3f2eaf 52 API calls 48546->48547 48547->48555 48548->48546 48549 3f3dff 48548->48549 48550 3f2eaf 52 API calls 48549->48550 48551 3f3e0b 48550->48551 48552 3f3cfd 52 API calls 48551->48552 48551->48555 48553 3f3e2d 48552->48553 48553->48555 48556 3f29dc 52 API calls 48553->48556 48555->48396 48556->48555 48557->48401 48559 3f3db5 52 API calls 48558->48559 48560 4565c8 48559->48560 48561 4565ce 48560->48561 48569 44cba8 48560->48569 48564 456666 48561->48564 48572 3f367f GetProcessHeap RtlFreeHeap GetLastError 48561->48572 48564->48405 48564->48413 48567 44cd94 58 API calls 48564->48567 48566 45664c RegCloseKey 48566->48561 48567->48413 48568->48410 48573 44cbc2 48569->48573 48571 44cbbe 48571->48561 48571->48566 48572->48564 48574 44cbd4 48573->48574 48575 44cbed RegOpenKeyExW 48574->48575 48576 44cbf4 48575->48576 48576->48571 48578 3f2eaf 52 API calls 48577->48578 48582 451ccc 48578->48582 48579 451d31 48586 451d45 48579->48586 48597 451bf5 72 API calls 48579->48597 48580 451d8a 48592 451d60 48580->48592 48599 3f367f GetProcessHeap RtlFreeHeap GetLastError 48580->48599 48581 451e5c 48581->48418 48581->48423 48582->48579 48582->48580 48593 451cd2 48582->48593 48586->48592 48598 451e65 53 API calls 48586->48598 48588 451dd8 48588->48593 48601 3f50cb 52 API calls _memcpy_s 48588->48601 48589 451db2 48589->48588 48591 3f3cfd 52 API calls 48589->48591 48589->48593 48591->48588 48592->48589 48592->48593 48600 3f2d5d 52 API calls _memcpy_s 48592->48600 48593->48581 48602 3f367f GetProcessHeap RtlFreeHeap GetLastError 48593->48602 48595->48422 48596->48425 48597->48586 48598->48592 48599->48592 48600->48589 48601->48593 48602->48581 48604 3f4e46 48603->48604 48605 3f4df2 48603->48605 48607 3f29c8 52 API calls 48604->48607 48606 3f37f3 2 API calls 48605->48606 48608 3f4dfc 48606->48608 48607->48608 48609 3f1839 68 API calls 48608->48609 48616 3f4e02 48608->48616 48610 3f4e2f 48609->48610 48611 3f4e6c GetProcAddress 48610->48611 48610->48616 48614 3f4e83 48611->48614 48612 3f4e98 GetTempPathW 48613 3f4f0c GetLastError 48612->48613 48612->48614 48613->48616 48614->48612 48615 3f29c8 52 API calls 48614->48615 48614->48616 48615->48614 48616->48429 48645 3f5444 48617->48645 48619 40c997 48630 40c95b 48619->48630 48634 40ca32 48619->48634 48654 456814 48619->48654 48620 40c955 48620->48619 48620->48630 48695 3f417b 60 API calls 48620->48695 48623 40ca75 48666 456323 48623->48666 48624 40ca99 48628 3f2eaf 52 API calls 48624->48628 48625 40caf0 48627 40cafe 48625->48627 48706 3f367f GetProcessHeap RtlFreeHeap GetLastError 48625->48706 48627->48430 48635 455cb8 UuidCreate 48627->48635 48628->48630 48630->48625 48705 3f367f GetProcessHeap RtlFreeHeap GetLastError 48630->48705 48634->48623 48634->48624 48634->48630 48636 455cfb StringFromGUID2 48635->48636 48637 455ce8 48635->48637 48636->48637 48638 4367e6 _ValidateLocalCookies 5 API calls 48637->48638 48639 40cba8 48638->48639 48639->48430 48640 452127 48639->48640 48641 452133 48640->48641 48643 452137 48641->48643 48762 451fe9 73 API calls 48641->48762 48643->48430 48644->48434 48646 3f5463 48645->48646 48647 3f5469 48646->48647 48648 3f54bb 48646->48648 48649 3f5528 48646->48649 48647->48620 48707 3f593a GetProcessHeap HeapSize 48648->48707 48709 3f540b GetProcessHeap RtlAllocateHeap 48649->48709 48652 3f54ca 48652->48647 48708 3f56c2 GetProcessHeap HeapReAlloc 48652->48708 48655 4565ae 54 API calls 48654->48655 48656 45682d 48655->48656 48657 456859 48656->48657 48665 456836 48656->48665 48710 44cffa 48656->48710 48659 4568e9 48657->48659 48660 4568d8 48657->48660 48664 40c9fa 48657->48664 48661 3f2eaf 52 API calls 48659->48661 48660->48664 48716 3f367f GetProcessHeap RtlFreeHeap GetLastError 48660->48716 48661->48664 48662 4568c1 RegCloseKey 48662->48657 48664->48630 48664->48634 48696 455f3a 48664->48696 48665->48657 48665->48662 48667 3f1839 68 API calls 48666->48667 48668 456348 48667->48668 48669 45636c GetProcAddress 48668->48669 48688 45634e 48668->48688 48670 4563ea 48669->48670 48671 45638a GetCurrentProcess 48669->48671 48672 44cba8 RegOpenKeyExW 48670->48672 48670->48688 48753 44beb7 12 API calls 48671->48753 48678 456429 48672->48678 48674 45639a 48674->48670 48674->48688 48754 45234b 77 API calls 48674->48754 48675 45658c RegCloseKey 48676 456599 48675->48676 48677 4565a7 48676->48677 48760 3f367f GetProcessHeap RtlFreeHeap GetLastError 48676->48760 48677->48630 48678->48688 48694 4564ff 48678->48694 48741 456232 48678->48741 48681 4563c5 48681->48688 48755 3f5573 6 API calls 48681->48755 48686 456531 48686->48688 48759 3f5573 6 API calls 48686->48759 48688->48675 48688->48676 48689 456232 59 API calls 48692 4564d8 48689->48692 48691 4564a0 48691->48688 48691->48689 48692->48688 48692->48694 48757 3f5573 6 API calls 48692->48757 48694->48688 48758 45234b 77 API calls 48694->48758 48695->48619 48697 455f85 48696->48697 48698 455f4e 48696->48698 48700 3f29c8 52 API calls 48697->48700 48699 3f37f3 2 API calls 48698->48699 48702 455f59 48699->48702 48700->48702 48701 455fbc GetLastError 48701->48702 48702->48701 48703 3f29c8 52 API calls 48702->48703 48704 455f5f 48702->48704 48703->48702 48704->48634 48705->48625 48706->48627 48707->48652 48708->48647 48709->48647 48711 44d020 48710->48711 48712 44d011 48710->48712 48715 44d026 48711->48715 48717 44d0cb 48711->48717 48712->48711 48732 3f593a GetProcessHeap HeapSize 48712->48732 48715->48665 48716->48664 48733 44c287 48717->48733 48719 44d252 48719->48715 48720 44d110 48720->48719 48740 3f367f GetProcessHeap RtlFreeHeap GetLastError 48720->48740 48724 44d1d9 48724->48720 48739 3f5a09 56 API calls 48724->48739 48726 44c287 RegQueryValueExW 48728 44d0f5 48726->48728 48727 44d1f9 48727->48720 48729 44d21e lstrlenW 48727->48729 48728->48720 48728->48724 48728->48726 48737 3f56c2 GetProcessHeap HeapReAlloc 48728->48737 48738 3f540b GetProcessHeap RtlAllocateHeap 48728->48738 48729->48719 48730 44d23e 48729->48730 48731 3f55c9 3 API calls 48730->48731 48731->48720 48732->48711 48734 44c2d8 RegQueryValueExW 48733->48734 48736 44c2a2 48733->48736 48734->48736 48736->48728 48737->48728 48738->48728 48739->48727 48740->48719 48742 44cffa 58 API calls 48741->48742 48743 456254 48742->48743 48744 4562bf 48743->48744 48745 45629a 48743->48745 48746 456277 48743->48746 48749 3f2eaf 52 API calls 48744->48749 48748 455f3a 53 API calls 48745->48748 48747 45631b 48746->48747 48761 3f367f GetProcessHeap RtlFreeHeap GetLastError 48746->48761 48747->48688 48747->48691 48756 3f5573 6 API calls 48747->48756 48751 4562a5 48748->48751 48749->48751 48751->48746 48752 3f3cfd 52 API calls 48751->48752 48752->48746 48753->48674 48754->48681 48755->48670 48756->48691 48757->48694 48758->48686 48759->48688 48760->48677 48761->48747 48762->48643 48764 3f1d53 48763->48764 48766 3f1d5e 48763->48766 48765 3f37f3 2 API calls 48764->48765 48765->48766 48767 3f1c76 52 API calls 48766->48767 48768 3f1d64 48766->48768 48767->48768 48768->48443 50670 41fb05 65 API calls 50671 441503 44 API calls 2 library calls 50673 3f6570 73 API calls 50674 3f8d70 6 API calls 50675 3f696f 177 API calls 50678 3f9360 54 API calls _ValidateLocalCookies 50679 3f9960 53 API calls 50680 41d520 97 API calls 50681 446320 51 API calls 50682 412d27 79 API calls 50683 3f6750 72 API calls 50684 41f530 126 API calls 50311 45c331 50312 45c33b 50311->50312 50313 45c6ef ___delayLoadHelper2@8 16 API calls 50312->50313 50314 45c348 50313->50314 50686 433337 256 API calls 50687 43a13b 41 API calls 4 library calls 48779 41ddc0 48782 3f540b GetProcessHeap RtlAllocateHeap 48779->48782 48781 41ddcd 48782->48781 50690 419dc0 337 API calls 50693 409bc6 82 API calls 50695 4327c9 139 API calls 50696 3f65b0 66 API calls 50697 41e1d0 43 API calls _memcpy_s 50700 43a7da 54 API calls 3 library calls 50701 3f97a0 67 API calls 50702 4335e3 GetProcessHeap RtlFreeHeap GetLastError 50703 41f9e3 77 API calls 50704 450fe0 74 API calls 50705 3f6999 EnterCriticalSection LeaveCriticalSection 50706 43a1e8 52 API calls 4 library calls 50298 41dff0 50303 41eb41 50298->50303 50300 41e01f ReadFile 50301 41e037 GetLastError 50300->50301 50302 41e043 50300->50302 50301->50302 50304 41eb56 50303->50304 50305 41eb5c SetFilePointerEx 50304->50305 50307 41eb7f 50304->50307 50306 41eb73 GetLastError 50305->50306 50305->50307 50306->50307 50307->50300 50319 3f7b87 50320 3f7ba6 50319->50320 50321 3f7b90 50319->50321 50324 3f7bb1 CoInitializeEx 50320->50324 50366 41d137 13 API calls 50321->50366 50323 3f7ba4 50323->50320 50325 3f7b31 50324->50325 50326 3f7ee0 50325->50326 50367 3f367f GetProcessHeap RtlFreeHeap GetLastError 50325->50367 50328 3f7ef2 50326->50328 50368 40a9ad 129 API calls 50326->50368 50329 4056b4 93 API calls 50328->50329 50330 3f7efe 50329->50330 50332 40fbe8 93 API calls 50330->50332 50333 3f7f0a 50332->50333 50334 40fdf6 3 API calls 50333->50334 50335 3f7f16 50334->50335 50336 3f7f42 50335->50336 50337 3f8119 72 API calls 50335->50337 50338 3f8119 72 API calls 50336->50338 50337->50336 50339 3f7f80 50338->50339 50340 44ae56 4 API calls 50339->50340 50341 3f7fc4 50340->50341 50342 40c13d 54 API calls 50341->50342 50343 3f7ff0 50342->50343 50344 41d6fd 2 API calls 50343->50344 50345 3f803c 50344->50345 50346 416157 2 API calls 50345->50346 50347 3f8050 50346->50347 50348 3f774c 10 API calls 50347->50348 50349 3f80b3 50348->50349 50350 3f80c1 50349->50350 50369 450d9c CoUninitialize 50349->50369 50352 3f80cf 50350->50352 50370 44fbc7 FreeLibrary 50350->50370 50354 3f80dd 50352->50354 50371 44d520 FreeLibrary 50352->50371 50356 3f80f0 50354->50356 50372 4510aa FreeLibrary FreeLibrary 50354->50372 50357 3f80fa 50356->50357 50358 3f80f4 CoUninitialize 50356->50358 50362 44b41c 77 API calls 50357->50362 50358->50357 50360 3f80eb 50373 44a6e3 FreeLibrary FreeLibrary 50360->50373 50363 3f8106 50362->50363 50364 4367e6 _ValidateLocalCookies 5 API calls 50363->50364 50365 3f8115 50364->50365 50366->50323 50367->50326 50368->50328 50369->50350 50370->50352 50371->50354 50372->50360 50373->50356 50710 4119f9 78 API calls 50713 405180 5 API calls _ValidateLocalCookies 50714 433582 SetThreadExecutionState 50719 45ad80 CompareStringOrdinal GetLastError 50721 3f71f5 80 API calls 50722 3f6df5 224 API calls 48789 45058b 48790 4505ab 48789->48790 48791 450599 CoInitialize 48789->48791 48792 4505df CLSIDFromProgID 48790->48792 48794 4505af 48790->48794 48791->48790 48793 4505f4 CLSIDFromProgID 48792->48793 48792->48794 48793->48794 50723 43e18d 44 API calls __freea 48795 44a58b 48796 3f1839 68 API calls 48795->48796 48797 44a59c 48796->48797 48798 44a5d0 48797->48798 48799 44a5a2 GetProcAddress GetProcAddress 48797->48799 48800 44a5fb 48798->48800 48801 3f1839 68 API calls 48798->48801 48799->48798 48802 44a5f5 48801->48802 48802->48800 48803 44a619 GetProcAddress 48802->48803 48804 44a677 GetProcAddress 48803->48804 48805 44a638 48803->48805 48804->48800 48806 44a696 48804->48806 48805->48804 48807 44a63c GetLastError 48805->48807 48806->48800 48808 44a69a GetLastError 48806->48808 48809 44a648 48807->48809 48808->48809 48809->48800 50724 3f91f0 56 API calls 50726 3f9df0 79 API calls 50731 3f6be8 8 API calls 49609 45c19c 49611 45c17b 49609->49611 49610 45c6ef ___delayLoadHelper2@8 16 API calls 49610->49611 49611->49609 49611->49610 50733 3f69e0 10 API calls 50734 3f99e0 71 API calls 50735 41fba1 CompareStringW CompareStringOrdinal GetLastError 50736 4161a0 58 API calls 49642 44f5a7 49643 3f18c0 62 API calls 49642->49643 49644 44f5c3 49643->49644 49647 44f5c9 49644->49647 49667 453be0 49644->49667 49646 44f5fc GetProcAddress 49648 44f620 GetProcAddress 49646->49648 49649 44f61b 49646->49649 49652 44f74e 49647->49652 49679 3f367f GetProcessHeap RtlFreeHeap GetLastError 49647->49679 49650 44f644 GetProcAddress 49648->49650 49651 44f63f 49648->49651 49649->49648 49653 44f663 49650->49653 49654 44f668 GetProcAddress 49650->49654 49651->49650 49653->49654 49656 44f687 49654->49656 49657 44f68c GetProcAddress 49654->49657 49656->49657 49658 44f6b0 GetProcAddress 49657->49658 49659 44f6ab 49657->49659 49660 44f6d4 GetProcAddress 49658->49660 49661 44f6cf 49658->49661 49659->49658 49662 44f6f3 49660->49662 49661->49660 49663 44f717 49662->49663 49664 44f701 GetProcAddress 49662->49664 49665 44f736 49663->49665 49666 44f720 GetProcAddress 49663->49666 49664->49663 49665->49647 49666->49665 49668 453c03 49667->49668 49669 453c51 GlobalAlloc 49668->49669 49670 453c09 GetLastError 49668->49670 49671 453c89 49669->49671 49675 453c22 49669->49675 49672 453c15 49670->49672 49673 453ca4 49671->49673 49674 453c98 GetLastError 49671->49674 49672->49669 49672->49675 49676 453cf6 GetLastError 49673->49676 49678 453cb1 49673->49678 49674->49673 49675->49646 49676->49678 49677 453d45 GlobalFree 49677->49675 49678->49677 49679->49652 50737 4405a0 15 API calls 2 library calls 50743 45c1b1 16 API calls ___delayLoadHelper2@8 50746 3f15c8 73 API calls 50749 3f73c3 155 API calls 50750 3f8dc0 6 API calls

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 003F5C81 Relevance: 65.2, APIs: 19, Strings: 18, Instructions: 479fileCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 194 3f5c81-3f5cf2 call 437460 * 2 GetFileAttributesW 199 3f5cf4-3f5cfe GetLastError 194->199 200 3f5d61-3f5d63 194->200 203 3f5d0b 199->203 204 3f5d00-3f5d09 199->204 201 3f5d69-3f5d6b 200->201 202 3f6275-3f6296 call 3f1225 200->202 205 3f5d6d-3f5d7b SetFileAttributesW 201->205 206 3f5dda-3f5de1 201->206 224 3f629b-3f62a1 call 3f1228 202->224 207 3f5d0d-3f5d12 203->207 208 3f5d14-3f5d1b 203->208 204->203 205->206 212 3f5d7d-3f5d87 GetLastError 205->212 210 3f5ded-3f5df1 206->210 211 3f5de3-3f5de7 206->211 213 3f5d2b-3f5d47 call 3f1225 207->213 214 3f5d1d-3f5d23 208->214 215 3f5d25 208->215 219 3f5e28-3f5e3e call 3f3db5 210->219 220 3f5df3-3f5e05 call 3f4dd8 210->220 211->210 218 3f615c-3f6167 RemoveDirectoryW 211->218 221 3f5d89-3f5d92 212->221 222 3f5d94 212->222 236 3f5d4c-3f5d55 call 3f1228 213->236 214->215 223 3f5d27-3f5d29 214->223 215->223 227 3f616d-3f6177 GetLastError 218->227 228 3f62a4-3f62ad 218->228 246 3f5e5a-3f5e76 FindFirstFileW 219->246 247 3f5e40-3f5e50 219->247 220->219 252 3f5e07-3f5e23 call 3f1228 220->252 221->222 229 3f5d9d-3f5da4 222->229 230 3f5d96-3f5d9b 222->230 223->213 233 3f5d5a-3f5d5c 223->233 224->228 238 3f6179-3f617c 227->238 239 3f6182-3f6188 227->239 234 3f62af-3f62b0 FindClose 228->234 235 3f62b6-3f62bd 228->235 241 3f5dae 229->241 242 3f5da6-3f5dac 229->242 240 3f5db4-3f5dd5 call 3f1225 230->240 233->235 234->235 249 3f62bf-3f62c5 call 3f367f 235->249 250 3f62ca-3f62d1 235->250 236->235 238->239 253 3f618a-3f618e 239->253 254 3f61a1-3f61a8 239->254 240->236 245 3f5db0-3f5db2 241->245 242->241 242->245 245->233 245->240 257 3f5ebc-3f5ec6 246->257 258 3f5e78-3f5e82 GetLastError 246->258 247->246 249->250 264 3f62de-3f62e5 250->264 265 3f62d3-3f62d9 call 3f367f 250->265 252->235 255 3f61d5-3f61f1 call 3f1225 253->255 256 3f6190-3f619d MoveFileExW 253->256 260 3f61aa-3f61b0 254->260 261 3f61f6-3f61f8 254->261 255->224 256->255 271 3f619f 256->271 269 3f5eed-3f5f17 call 3f2476 257->269 270 3f5ec8-3f5ed1 257->270 267 3f5e8f 258->267 268 3f5e84-3f5e8d 258->268 260->261 272 3f61b2-3f61b8 260->272 261->228 275 3f62e7-3f62ed call 3f367f 264->275 276 3f62f2-3f6302 call 4367e6 264->276 265->264 281 3f5e96-3f5eb2 call 3f1225 267->281 282 3f5e91 267->282 268->267 295 3f5f1d-3f5f35 call 3f3db5 269->295 296 3f625b-3f6265 269->296 286 3f60b7-3f60c7 FindNextFileW 270->286 287 3f5ed7-3f5ede 270->287 271->254 279 3f61cd-3f61cf 272->279 280 3f61ba-3f61c1 272->280 275->276 279->228 279->255 280->255 291 3f61c3-3f61c7 280->291 281->257 282->281 293 3f614d-3f6156 GetLastError 286->293 294 3f60cd-3f60d3 286->294 287->269 289 3f5ee0-3f5ee7 287->289 289->269 289->286 291->228 291->279 293->218 298 3f61fd-3f6207 GetLastError 293->298 294->257 309 3f5f3b-3f5f3f 295->309 310 3f6239-3f6259 call 3f1228 295->310 299 3f626a-3f6273 call 3f1228 296->299 301 3f6209-3f6212 298->301 302 3f6214 298->302 299->228 301->302 305 3f621b-3f6237 call 3f1225 302->305 306 3f6216 302->306 305->224 306->305 313 3f5fa4-3f5fab 309->313 314 3f5f41-3f5f48 309->314 310->228 315 3f60b1 313->315 316 3f5fb1-3f5fb8 313->316 314->313 318 3f5f4a-3f5f5a call 3f3cfd 314->318 315->286 319 3f600b-3f6019 DeleteFileW 316->319 320 3f5fba-3f5fcd SetFileAttributesW 316->320 327 3f60d8-3f60ed 318->327 328 3f5f60-3f5f69 call 3f5c81 318->328 319->315 323 3f601f-3f6023 319->323 320->319 322 3f5fcf-3f5fd9 GetLastError 320->322 325 3f5fdb-3f5fe4 322->325 326 3f5fe6 322->326 329 3f607a-3f6084 GetLastError 323->329 330 3f6025-3f6042 call 3f4b8a 323->330 325->326 331 3f5fec-3f5ff2 326->331 332 3f60f2 326->332 327->224 343 3f5f6e-3f5f70 328->343 334 3f6086-3f608f 329->334 335 3f6091 329->335 347 3f611a-3f6129 330->347 348 3f6048-3f6062 MoveFileExW 330->348 339 3f5ffc 331->339 340 3f5ff4-3f5ffa 331->340 338 3f60f7-3f610a call 3f1225 332->338 334->335 341 3f612e 335->341 342 3f6097-3f609d 335->342 359 3f610f-3f6115 338->359 346 3f5ffe-3f6000 339->346 340->339 340->346 345 3f6133-3f614b call 3f1225 341->345 349 3f609f-3f60a5 342->349 350 3f60a7 342->350 343->315 351 3f5f76-3f5f7b 343->351 345->359 346->338 357 3f6006 346->357 347->299 352 3f6064 348->352 353 3f6072-3f6078 348->353 349->350 356 3f60a9-3f60ab 349->356 350->356 351->315 358 3f5f81-3f5f9f call 3f1228 351->358 361 3f606a-3f6070 MoveFileExW 352->361 353->361 356->315 356->345 357->315 358->315 359->224 361->315
                                                                                                                                                            APIs
                                                                                                                                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00000000,00000001), ref: 003F5CE9
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 003F5CF4
                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,00000000,00000001), ref: 003F5D73
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 003F5D7D
                                                                                                                                                            • FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,?,00000000,00000001), ref: 003F5E67
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 003F5E78
                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,00000105,?,00000104,00000000,00000000,00000A00,?,?,?,?), ref: 003F5FC5
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 003F5FCF
                                                                                                                                                            • DeleteFileW.KERNELBASE(?,?,?,?,?,00000105,?,00000104,00000000,00000000,00000A00,?,?,?,?,00000000), ref: 003F6011
                                                                                                                                                            • MoveFileExW.KERNEL32(?,?,00000001,?,DEL,00000000,?,?,?,?,?,00000000,00000001), ref: 003F6056
                                                                                                                                                            • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,?,00000000,00000001), ref: 003F606A
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 003F607A
                                                                                                                                                            • FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,00000105,?,00000104,00000000,00000000,00000A00,?,?,?,?), ref: 003F60BF
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 003F614D
                                                                                                                                                            • RemoveDirectoryW.KERNELBASE(?,?,?,?,?,00000000,00000001), ref: 003F615F
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 003F616D
                                                                                                                                                            • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,?,00000000,00000001), ref: 003F6195
                                                                                                                                                            • FindClose.KERNEL32(000000FF,?,?,?,?,d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp,00000149,8000FFFF,?,?,?,?,00000000,00000001), ref: 003F62B0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: File$ErrorLast$AttributesFindMove$CloseDeleteDirectoryFirstNextRemove
                                                                                                                                                            • String ID: *.*$DEL$Directory delete cannot delete file: %ls$Failed to concat filename '%ls' to directory: %ls$Failed to concat wild cards to string: %ls$Failed to delete file: %ls$Failed to delete subdirectory; continuing: %ls$Failed to ensure file name was null terminated.$Failed to ensure path is backslash terminated: %ls$Failed to get attributes for path: %ls$Failed to get temp directory.$Failed to get temp file to move to.$Failed to remove attributes from file: %ls$Failed to remove directory: %ls$Failed to remove read-only attribute from path: %ls$Failed while looping through files in directory: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp$failed to get first file in directory: %ls
                                                                                                                                                            • API String ID: 3695804116-305978383
                                                                                                                                                            • Opcode ID: ddf4fba67ffe7f16fa4e6ee71d9beb5136a3d7832738aa8f7ece3966f049f83a
                                                                                                                                                            • Instruction ID: cc149936a75a9897fe26accd8652fa19c85697397e525c4fd1477fc6a17a0e7a
                                                                                                                                                            • Opcode Fuzzy Hash: ddf4fba67ffe7f16fa4e6ee71d9beb5136a3d7832738aa8f7ece3966f049f83a
                                                                                                                                                            • Instruction Fuzzy Hash: 6DF13872D4173DB6EB3356108D0BFBF666C9B01B11F124595FF08BA1C2E7748D808A9A
                                                                                                                                                            Function 0044FE01 Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 198libraryloadercomCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 1058 44fe01-44fe29 GetModuleHandleA 1059 44fea6-44feb4 GetProcAddress 1058->1059 1060 44fe2b-44fe35 GetLastError 1058->1060 1063 44ff16-44ff35 CoCreateInstance 1059->1063 1064 44feb6-44fee6 GetProcAddress * 3 1059->1064 1061 44fe37-44fe40 1060->1061 1062 44fe42 1060->1062 1061->1062 1065 44fe44 1062->1065 1066 44fe49-44fe6c call 3f1225 call 3f1228 1062->1066 1067 44ff37-44ff41 1063->1067 1068 44ff58-44ff5a 1063->1068 1069 44ff12 1064->1069 1070 44fee8-44feea 1064->1070 1065->1066 1090 44fe6f-44fe74 1066->1090 1071 44ff46-44ff53 call 3f1228 1067->1071 1074 44ff5f-44ff6f 1068->1074 1069->1063 1070->1069 1073 44feec-44feee 1070->1073 1084 450013-450017 1071->1084 1073->1069 1077 44fef0-44ff10 1073->1077 1078 44ff71-44ff75 1074->1078 1079 44ff79 1074->1079 1077->1063 1078->1074 1082 44ff77 1078->1082 1083 44ff7b-44ff8b 1079->1083 1087 44ff93 1082->1087 1088 44ff8d-44ff91 1083->1088 1089 44ff99-44ff9d 1083->1089 1084->1090 1091 45001d-45002c 1084->1091 1087->1089 1088->1083 1088->1087 1092 44fff7-450008 1089->1092 1093 44ff9f-44ffb2 call 45003b 1089->1093 1095 44fe86-44fe8b 1090->1095 1096 44fe76-44fe84 1090->1096 1091->1090 1109 450032-450034 ExitProcess 1091->1109 1092->1084 1097 45000a-450011 1092->1097 1103 44ffb4-44ffc3 1093->1103 1104 44ffc5-44ffe1 1093->1104 1100 44fe9d-44fea3 1095->1100 1101 44fe8d-44fe9b 1095->1101 1096->1095 1097->1084 1101->1100 1103->1071 1104->1092 1113 44ffe3-44fff2 1104->1113 1113->1071
                                                                                                                                                            APIs
                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,003F7DDB,?,00450662,00000000,003F7D5B,00000000,?,?,004140B9,?,?,003F7D5B,?), ref: 0044FE1F
                                                                                                                                                            • GetLastError.KERNEL32(?,00450662,00000000,003F7D5B,00000000,?,?,004140B9,?,?,003F7D5B,?,?,?,?,?), ref: 0044FE2B
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0044FEAC
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0044FEBC
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 0044FECB
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0044FED9
                                                                                                                                                            • CoCreateInstance.OLE32(0048D6D8,00000000,00000001,0045E8F8,003F7D5B,?,00450662,00000000,003F7D5B,00000000,?,?,004140B9,?,?,003F7D5B), ref: 0044FF2B
                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00450034
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                                                                                                                                                            • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed XmlCreateElement$failed appendChild$failed to create XML DOM Document$failed to get handle to kernel32.dll$kernel32.dll$E
                                                                                                                                                            • API String ID: 2124981135-3478133041
                                                                                                                                                            • Opcode ID: 82a2a1eb8a57fb66cdaff5b8da8729a86b08da518b2202a877ab6873fd9d8689
                                                                                                                                                            • Instruction ID: 1dd6266477f0d0fa3795076bff0fc1a56dbdd06e651343fed7c2bdc1fda187bb
                                                                                                                                                            • Opcode Fuzzy Hash: 82a2a1eb8a57fb66cdaff5b8da8729a86b08da518b2202a877ab6873fd9d8689
                                                                                                                                                            • Instruction Fuzzy Hash: 6A61E430A00315ABEB15AF558C09F6E77A8EB45B12F2140BBF905E7391DB78CE49CB48
                                                                                                                                                            Function 0044A805 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 168threadtimeCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(0048D4F0,00000000,00000000,--- logging level: %hs ---,00481670,00000000,?,003F7B05,00000003), ref: 0044A833
                                                                                                                                                            • GetCurrentProcessId.KERNEL32(00000000,?,003F7B05,00000003), ref: 0044A843
                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0044A84C
                                                                                                                                                            • GetLocalTime.KERNEL32(003F7B05,?,003F7B05,00000003), ref: 0044A862
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(0048D4F0,?,?,?,00000000,0000FDE9,?,003F7B05,00000003), ref: 0044A9CB
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to write string to log using redirected function: %ls, xrefs: 0044A98A
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp, xrefs: 0044A923, 0044A9B9
                                                                                                                                                            • Failed to format line prefix., xrefs: 0044A914
                                                                                                                                                            • %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 0044A8FF
                                                                                                                                                            • Failed to convert log string to UTF-8, xrefs: 0044A955
                                                                                                                                                            • Failed to write string to log using default function: %ls, xrefs: 0044A9AA
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
                                                                                                                                                            • String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls$Failed to convert log string to UTF-8$Failed to format line prefix.$Failed to write string to log using default function: %ls$Failed to write string to log using redirected function: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp
                                                                                                                                                            • API String ID: 296830338-1339504754
                                                                                                                                                            • Opcode ID: 75c6f413516456192c8e343b003c0fdfd65ea0a374dc2e6ade7608f6e9a61701
                                                                                                                                                            • Instruction ID: 379fd0d7ca89cd504475f106cf1b2f4893a9ff8c407e5c33b0a7421735e5ea01
                                                                                                                                                            • Opcode Fuzzy Hash: 75c6f413516456192c8e343b003c0fdfd65ea0a374dc2e6ade7608f6e9a61701
                                                                                                                                                            • Instruction Fuzzy Hash: 6F51F871E41219BBEB25AB95CC05BBF7778EB08B11F110827F900BA291D7389D51C79A
                                                                                                                                                            Function 0044A747 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FormatMessageW.KERNEL32(00000900,?,?,00000000,00000002,00000000,00000000,00000000,?,?,0044B0B3,004150E1,?,?,00000000,00000001), ref: 0044A766
                                                                                                                                                            • GetLastError.KERNEL32(?,0044B0B3,004150E1,?,?,00000000,00000001,?,003F812D,004150E1,?,00000000,?,?,004150E1,00000002), ref: 0044A772
                                                                                                                                                            • LocalFree.KERNEL32(00000000,004150E1,?,00000002,?,?,0044B0B3,004150E1,?,?,00000000,00000001,?,003F812D,004150E1,?), ref: 0044A7F8
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                                                            • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp$failed to log id: %d
                                                                                                                                                            • API String ID: 1365068426-1219654922
                                                                                                                                                            • Opcode ID: 7fb2236f4c661bb344b25e116bd4dfc2721f35c2f0e83f49754b7a8d9c9d4b5d
                                                                                                                                                            • Instruction ID: 2027ea82ae3056fe5d34cdfa886426723fa542a0b34618524e1cbe317c4d392c
                                                                                                                                                            • Opcode Fuzzy Hash: 7fb2236f4c661bb344b25e116bd4dfc2721f35c2f0e83f49754b7a8d9c9d4b5d
                                                                                                                                                            • Instruction Fuzzy Hash: C321A172640129BFEB21AF81DD45EAF7A7DEF44750F01401BF900A6161D734CE21E6A6
                                                                                                                                                            Function 0040ED3B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 92fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • DecryptFileW.ADVAPI32(?,00000000), ref: 0040EDF1
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: DecryptFile
                                                                                                                                                            • String ID: Failed to copy working folder.$No usable base working folder found.$d:\a\wix4\wix4\src\burn\user\cache.cpp
                                                                                                                                                            • API String ID: 3257575229-4136860833
                                                                                                                                                            • Opcode ID: e0124ef44cadb6a810f4f8b7737db6919d7342a00eac1e2afafc72b0f4078176
                                                                                                                                                            • Instruction ID: 7d675e04cff59f684ef7396d9ff4bc54cafa8b1d7ee8531052f61cb73b54b978
                                                                                                                                                            • Opcode Fuzzy Hash: e0124ef44cadb6a810f4f8b7737db6919d7342a00eac1e2afafc72b0f4078176
                                                                                                                                                            • Instruction Fuzzy Hash: 7331C831A40619FBD7129A65CC45FAFB664FF04710F108536F504BA1D1D7B8AE20DBA8
                                                                                                                                                            Function 003F540B Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetProcessHeap.KERNEL32(?,?,?,0041DDCD,?,00000000), ref: 003F541C
                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0041DDCD,?,00000000), ref: 003F5423
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                            • Opcode ID: 30935e8642967c9a8301a0c7c71b45916001fb82aab58d3484ab11cc9374ee20
                                                                                                                                                            • Instruction ID: 839716b502bfd9c8892646629394255106bf976414b6bb89139ca89d0188ef1c
                                                                                                                                                            • Opcode Fuzzy Hash: 30935e8642967c9a8301a0c7c71b45916001fb82aab58d3484ab11cc9374ee20
                                                                                                                                                            • Instruction Fuzzy Hash: AAC01232194308A78B046FF5DC0AC85779CA754603B008561B505C6011C638E1508764
                                                                                                                                                            Function 003FDB61 Relevance: 89.9, APIs: 24, Strings: 27, Instructions: 688fileCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 0 3fdb61-3fdbd6 call 437460 * 2 5 3fdc18-3fdc1e 0->5 6 3fdbd8-3fdbe2 GetLastError 0->6 9 3fdc22-3fdc32 SetFilePointerEx 5->9 10 3fdc20 5->10 7 3fdbef 6->7 8 3fdbe4-3fdbed 6->8 11 3fdbf6-3fdc13 call 3f1225 7->11 12 3fdbf1 7->12 8->7 13 3fdc74-3fdc8c ReadFile 9->13 14 3fdc34-3fdc3e GetLastError 9->14 10->9 29 3fe3ea-3fe3f0 call 3f1228 11->29 12->11 15 3fdcce-3fdcd5 13->15 16 3fdc8e-3fdc98 GetLastError 13->16 18 3fdc4b 14->18 19 3fdc40-3fdc49 14->19 23 3fdcdb-3fdce4 15->23 24 3fe3c6-3fe3e8 call 3f1225 15->24 20 3fdc9a-3fdca3 16->20 21 3fdca5 16->21 25 3fdc4d 18->25 26 3fdc52-3fdc6f call 3f1225 18->26 19->18 20->21 27 3fdcac-3fdcc9 call 3f1225 21->27 28 3fdca7 21->28 23->24 31 3fdcea-3fdcfc SetFilePointerEx 23->31 24->29 25->26 26->29 27->29 28->27 49 3fe3f3-3fe403 call 4367e6 29->49 36 3fdd3e-3fdd59 ReadFile 31->36 37 3fdcfe-3fdd08 GetLastError 31->37 39 3fdd9b-3fdda2 36->39 40 3fdd5b-3fdd65 GetLastError 36->40 43 3fdd0a-3fdd13 37->43 44 3fdd15 37->44 47 3fdda8-3fddb2 39->47 48 3fe3a0-3fe3c4 call 3f1225 39->48 45 3fdd67-3fdd70 40->45 46 3fdd72 40->46 43->44 50 3fdd1c-3fdd39 call 3f1225 44->50 51 3fdd17 44->51 45->46 54 3fdd79-3fdd96 call 3f1225 46->54 55 3fdd74 46->55 47->48 56 3fddb8-3fdddd SetFilePointerEx 47->56 48->29 50->29 51->50 54->29 55->54 61 3fde1f-3fde3a ReadFile 56->61 62 3fdddf-3fdde9 GetLastError 56->62 64 3fde7c-3fde97 ReadFile 61->64 65 3fde3c-3fde46 GetLastError 61->65 67 3fddeb-3fddf4 62->67 68 3fddf6 62->68 73 3fded9-3fdef6 SetFilePointerEx 64->73 74 3fde99-3fdea3 GetLastError 64->74 71 3fde48-3fde51 65->71 72 3fde53 65->72 67->68 69 3fddfd-3fde1a call 3f1225 68->69 70 3fddf8 68->70 69->29 70->69 71->72 78 3fde5a-3fde77 call 3f1225 72->78 79 3fde55 72->79 76 3fdf38-3fdf5a ReadFile 73->76 77 3fdef8-3fdf02 GetLastError 73->77 80 3fdea5-3fdeae 74->80 81 3fdeb0 74->81 88 3fdfbc-3fdfc6 GetLastError 76->88 89 3fdf5c-3fdf5e 76->89 85 3fdf0f 77->85 86 3fdf04-3fdf0d 77->86 78->29 79->78 80->81 82 3fdeb7-3fded4 call 3f1225 81->82 83 3fdeb2 81->83 82->29 83->82 93 3fdf16-3fdf33 call 3f1225 85->93 94 3fdf11 85->94 86->85 91 3fdfc8-3fdfd1 88->91 92 3fdfd3 88->92 96 3fdf5f-3fdf66 89->96 91->92 98 3fdfda-3fe009 call 3f1225 call 3f1228 92->98 99 3fdfd5 92->99 93->29 94->93 101 3fdf6c-3fdf78 96->101 102 3fe36a-3fe38e call 3f1225 96->102 98->49 99->98 103 3fdf7a-3fdf81 101->103 104 3fdf87-3fdf90 101->104 113 3fe393-3fe39e call 3f1228 102->113 103->104 108 3fe00e-3fe015 103->108 109 3fdf96-3fdfba ReadFile 104->109 110 3fe321-3fe338 call 3f1225 104->110 116 3fe047-3fe05e call 3f540b 108->116 117 3fe017-3fe042 call 3f1225 108->117 109->88 109->96 125 3fe33d-3fe34c call 3f1228 110->125 113->49 127 3fe08f-3fe0a4 SetFilePointerEx 116->127 128 3fe060-3fe08a call 3f1225 116->128 117->113 139 3fe34e 125->139 131 3fe0ef-3fe112 ReadFile 127->131 132 3fe0a6-3fe0b0 GetLastError 127->132 128->29 134 3fe14b-3fe157 131->134 135 3fe114-3fe11e GetLastError 131->135 137 3fe0bd 132->137 138 3fe0b2-3fe0bb 132->138 143 3fe17a-3fe17e 134->143 144 3fe159-3fe175 call 3f1225 134->144 140 3fe12b 135->140 141 3fe120-3fe129 135->141 145 3fe0bf 137->145 146 3fe0c4-3fe0d6 call 3f1225 137->146 138->137 142 3fe351-3fe359 139->142 147 3fe12d 140->147 148 3fe132-3fe149 call 3f1225 140->148 141->140 142->49 149 3fe35f-3fe365 call 3f55c9 142->149 152 3fe1bb-3fe1c4 143->152 153 3fe180-3fe1a6 call 3f1225 143->153 144->125 145->146 166 3fe0db-3fe0ea call 3f1228 146->166 147->148 148->166 149->49 154 3fe1c6-3fe1f1 call 3f1225 152->154 155 3fe1f3-3fe206 call 453b63 152->155 167 3fe1ab-3fe1b6 call 3f1228 153->167 154->167 173 3fe208-3fe21a 155->173 174 3fe224-3fe234 155->174 166->139 167->142 173->174 176 3fe23e-3fe246 174->176 177 3fe236-3fe23c 174->177 178 3fe248-3fe250 176->178 179 3fe252-3fe255 176->179 180 3fe257-3fe2b1 call 3f540b 177->180 178->180 179->180 183 3fe2b3-3fe2d8 call 3f1225 180->183 184 3fe2e2-3fe303 call 4375c0 call 3fd84a 180->184 183->184 184->142 191 3fe305-3fe317 call 3f1225 184->191 191->110
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,003F6C5C,00000000,003F6570), ref: 003FDBD8
                                                                                                                                                            • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDC2A
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,003F6C5C,00000000,003F6570), ref: 003FDC34
                                                                                                                                                            • ReadFile.KERNELBASE(003F6570,003F6C78,00000040,?,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDC84
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,003F6C5C,00000000,003F6570), ref: 003FDC8E
                                                                                                                                                            • SetFilePointerEx.KERNELBASE(003F6570,003F6570,?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDCF4
                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDCFE
                                                                                                                                                            • ReadFile.KERNELBASE(003F6570,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDD51
                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDD5B
                                                                                                                                                            • SetFilePointerEx.KERNELBASE(003F6570,003F64D8,00000000,00000000,00000000,?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDDD5
                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDDDF
                                                                                                                                                            • ReadFile.KERNEL32(003F6570,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDE32
                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDE3C
                                                                                                                                                            • ReadFile.KERNEL32(003F6570,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDE8F
                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDE99
                                                                                                                                                            • SetFilePointerEx.KERNELBASE(003F6570,003F6570,00000000,00000000,00000000,?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDEEE
                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDEF8
                                                                                                                                                            • ReadFile.KERNEL32(003F6570,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDF52
                                                                                                                                                            • ReadFile.KERNEL32(003F6570,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDFB2
                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FDFBC
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLast$Read$Pointer
                                                                                                                                                            • String ID: .wix$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to user process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data too short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$Invalid section info, cContainers too large: %u$PE Header from file didn't match PE Header in memory.$burn$d:\a\wix4\wix4\src\burn\user\section.cpp$feclient.dll
                                                                                                                                                            • API String ID: 3909885910-3917360529
                                                                                                                                                            • Opcode ID: 9181fa5f03d35a045e2b934e920362bf2c5d5202d3323425b6a96ce7e8dd0b6d
                                                                                                                                                            • Instruction ID: 2fffa56abd39836993905a89ecfcaf272d078cddf2d22583784d9a17a8d35dc0
                                                                                                                                                            • Opcode Fuzzy Hash: 9181fa5f03d35a045e2b934e920362bf2c5d5202d3323425b6a96ce7e8dd0b6d
                                                                                                                                                            • Instruction Fuzzy Hash: 46222972A41338B7E7329E158C49FBBB56CAF05B11F114166FB08BF2C1E6B5DD008A99
                                                                                                                                                            Function 0041E386 Relevance: 49.4, APIs: 16, Strings: 12, Instructions: 351COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 364 41e386-41e39d SetEvent 365 41e3e5-41e3f3 call 3f174a 364->365 366 41e39f-41e3a9 GetLastError 364->366 374 41e3f5-41e414 call 3f1228 365->374 375 41e419-41e424 ResetEvent 365->375 367 41e3b6 366->367 368 41e3ab-41e3b4 366->368 370 41e3b8 367->370 371 41e3bd-41e3e0 call 3f1225 367->371 368->367 370->371 384 41e7d8 371->384 386 41e7e4-41e7e9 374->386 376 41e426-41e430 GetLastError 375->376 377 41e46c-41e472 375->377 380 41e432-41e43b 376->380 381 41e43d 376->381 382 41e4b2-41e4cb call 3f2ec6 377->382 383 41e474-41e477 377->383 380->381 387 41e444-41e467 call 3f1225 381->387 388 41e43f 381->388 399 41e4f4-41e4ff SetEvent 382->399 400 41e4cd-41e4ef call 3f1228 382->400 389 41e479-41e4a3 call 3f1225 383->389 390 41e4a8-41e4ad 383->390 391 41e7d9-41e7de call 3f1228 384->391 394 41e7eb 386->394 395 41e7ee-41e7f4 386->395 387->384 388->387 389->384 390->386 407 41e7e1-41e7e3 391->407 394->395 405 41e501-41e50b GetLastError 399->405 406 41e547-41e555 call 3f174a 399->406 400->407 409 41e518 405->409 410 41e50d-41e516 405->410 416 41e573-41e57e ResetEvent 406->416 417 41e557-41e56e 406->417 407->386 412 41e51a 409->412 413 41e51f-41e542 call 3f1225 409->413 410->409 412->413 413->384 418 41e580-41e58a GetLastError 416->418 419 41e5c6-41e5cd 416->419 417->391 421 41e597 418->421 422 41e58c-41e595 418->422 423 41e5d3-41e5d6 419->423 424 41e66d-41e690 419->424 425 41e599 421->425 426 41e59e-41e5c1 call 3f1225 421->426 422->421 427 41e622-41e626 call 3f540b 423->427 428 41e5d8-41e5db 423->428 436 41e692-41e69c GetLastError 424->436 437 41e6dc-41e6ee SetFilePointerEx 424->437 425->426 426->384 434 41e62b-41e630 427->434 432 41e61b-41e61d 428->432 433 41e5dd-41e5e0 428->433 432->386 438 41e611-41e616 433->438 439 41e5e2-41e60c call 3f1225 433->439 440 41e632-41e65a call 3f1225 434->440 441 41e65f-41e668 434->441 444 41e6a9 436->444 445 41e69e-41e6a7 436->445 442 41e6f0-41e6fa GetLastError 437->442 443 41e736-41e741 SetEndOfFile 437->443 438->407 439->384 440->384 441->407 448 41e707 442->448 449 41e6fc-41e705 442->449 450 41e743-41e74d GetLastError 443->450 451 41e786-41e795 SetFilePointerEx 443->451 452 41e6b0-41e6d6 call 3f1225 444->452 453 41e6ab 444->453 445->444 458 41e709 448->458 459 41e70e-41e731 call 3f1225 448->459 449->448 460 41e75a 450->460 461 41e74f-41e758 450->461 451->407 456 41e797-41e7a1 GetLastError 451->456 452->437 453->452 463 41e7a3-41e7ac 456->463 464 41e7ae 456->464 458->459 459->384 466 41e761-41e784 call 3f1225 460->466 467 41e75c 460->467 461->460 463->464 469 41e7b0 464->469 470 41e7b5-41e7d3 call 3f1225 464->470 466->384 467->466 469->470 470->384
                                                                                                                                                            APIs
                                                                                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,0041DE75,?,?), ref: 0041E395
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,0041DE75,?,?), ref: 0041E39F
                                                                                                                                                            • ResetEvent.KERNEL32(?,?,000000FF,?,?,?,?,0041DE75,?,?), ref: 0041E41C
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,0041DE75,?,?), ref: 0041E426
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorEventLast$Reset
                                                                                                                                                            • String ID: @1#v$Failed to allocate buffer for stream.$Failed to copy stream name: %hs$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$d:\a\wix4\wix4\src\burn\user\cabextract.cpp
                                                                                                                                                            • API String ID: 1970322416-3144393372
                                                                                                                                                            • Opcode ID: a4136536d043f0272d2533ae211ca18e2b563a96a752f3d5cb8806fa1d2da97e
                                                                                                                                                            • Instruction ID: 934153827add8f2ad8e360b6d2a77d5517e6f0866d12d48c8561a177c51be3f0
                                                                                                                                                            • Opcode Fuzzy Hash: a4136536d043f0272d2533ae211ca18e2b563a96a752f3d5cb8806fa1d2da97e
                                                                                                                                                            • Instruction Fuzzy Hash: 15A1E73AA81221B3F63216675D4EFEB5858EB44B21F224117BE18BE2C1E69CDC4096DD
                                                                                                                                                            Function 003FAA6F Relevance: 48.5, APIs: 1, Strings: 31, Instructions: 486COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 475 3faa6f-3fb442 InitializeCriticalSection 476 3fb448-3fb46c call 3f813a 475->476 479 3fb46e-3fb481 476->479 480 3fb4ba-3fb4cd 476->480 479->476 482 3fb483-3fb49b call 3f8218 479->482 481 3fb4d2-3fb4dc call 3f1228 480->481 489 3fb4df-3fb4ef call 4367e6 481->489 487 3fb49d-3fb4a1 482->487 488 3fb4a5-3fb4b8 482->488 487->482 490 3fb4a3 487->490 488->481 490->489
                                                                                                                                                            APIs
                                                                                                                                                            • InitializeCriticalSection.KERNEL32(0041401A,003F7D5B,x86,003F7DDB), ref: 003FAA8F
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalInitializeSection
                                                                                                                                                            • String ID: Date$Failed to add built-in variable: %ls.$Failed to add well-known variable: %ls.$InstallerName$InstallerVersion$LogonUser$RebootPending$SeShutdownPrivilege$WixBundleAction$WixBundleActiveParent$WixBundleCommandLineAction$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInProgressName$WixBundleInstalled$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleManufacturer$WixBundleName$WixBundleOriginalSource$WixBundleOriginalSourceFolder$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion$d:\a\wix4\wix4\src\burn\user\variable.cpp$x86
                                                                                                                                                            • API String ID: 32694325-3643941991
                                                                                                                                                            • Opcode ID: 4bbc19538d73de4dfe8589cd5697a0b49a62530bd600e849e9d11c757abda6d9
                                                                                                                                                            • Instruction ID: 3ad6996c69e63c4392558e108559d02b050ac400228916401c205b8a8bb6a997
                                                                                                                                                            • Opcode Fuzzy Hash: 4bbc19538d73de4dfe8589cd5697a0b49a62530bd600e849e9d11c757abda6d9
                                                                                                                                                            • Instruction Fuzzy Hash: F7526CB4C116289FDB65CF59CD487DDFAB8BB48745F1485DBE20CA6220D7B40A88CF89
                                                                                                                                                            Function 0040CD75 Relevance: 37.0, APIs: 9, Strings: 12, Instructions: 258fileCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 569 40cd75-40cdc6 571 40ce17-40ce25 call 4539dd 569->571 572 40cdc8-40cdd2 GetLastError 569->572 579 40ce27-40ce49 call 3f1228 571->579 580 40ce4e-40ce5a call 452b2e 571->580 573 40cdd4-40cddd 572->573 574 40cddf 572->574 573->574 577 40cde1 574->577 578 40cde6-40ce12 call 3f1225 call 3f1228 574->578 577->578 594 40d054-40d064 call 4367e6 578->594 588 40d04d 579->588 586 40ce5f-40ce63 580->586 589 40ce65-40ce8a call 3f1228 586->589 590 40ce8f-40ce94 586->590 588->594 589->588 590->588 593 40ce9a-40cea9 SetFilePointerEx 590->593 596 40cef2-40cf02 call 453f70 593->596 597 40ceab-40ceb5 GetLastError 593->597 607 40cf04-40cf16 596->607 608 40cf1b-40cf2c SetFilePointerEx 596->608 600 40cec2 597->600 601 40ceb7-40cec0 597->601 604 40cec4 600->604 605 40cec9-40cee7 call 3f1225 600->605 601->600 604->605 614 40ceec-40ceed 605->614 610 40d040 607->610 611 40cf74-40cf84 call 453f70 608->611 612 40cf2e-40cf38 GetLastError 608->612 615 40d045-40d04a call 3f1228 610->615 622 40cf86-40cf98 611->622 623 40cf9d-40cfad call 453f70 611->623 616 40cf45 612->616 617 40cf3a-40cf43 612->617 614->615 615->588 620 40cf47 616->620 621 40cf4c-40cf6f call 3f1225 616->621 617->616 620->621 621->614 622->610 629 40cfc3-40cfd4 SetFilePointerEx 623->629 630 40cfaf-40cfc1 623->630 631 40cfd6-40cfe0 GetLastError 629->631 632 40d01c-40d02c call 453f70 629->632 630->610 634 40cfe2-40cfeb 631->634 635 40cfed 631->635 632->588 639 40d02e-40d03b 632->639 634->635 637 40cff4-40d012 call 3f1225 635->637 638 40cfef 635->638 637->632 638->637 639->610
                                                                                                                                                            APIs
                                                                                                                                                            • CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0040CDBB
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040CDC8
                                                                                                                                                              • Part of subcall function 00452B2E: ReadFile.KERNELBASE(?,?,00000000,?,00000000,?), ref: 00452BBF
                                                                                                                                                            • SetFilePointerEx.KERNEL32(00000000,0045E818,00000000,00000000,00000000,?,00000000,0045E860,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0040CEA1
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040CEAB
                                                                                                                                                            • CloseHandle.KERNELBASE(00000000,?,00000000,0045E860,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0040D04E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: File$ErrorLast$CloseCreateHandlePointerRead
                                                                                                                                                            • String ID: Failed to copy user from: %ls to: %ls$Failed to create user file at path: %ls$Failed to seek to beginning of user file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$d:\a\wix4\wix4\src\burn\user\cache.cpp$msi.dll$.#v@1#v
                                                                                                                                                            • API String ID: 3456208997-4058258587
                                                                                                                                                            • Opcode ID: 77c88e8ec031c78e9f5f669662777b041bc02be7332c0620b0cb401410c88b60
                                                                                                                                                            • Instruction ID: dae3507f97f15d410658828202c5382eee41dc8b96e5ff46bd1348691236e6ed
                                                                                                                                                            • Opcode Fuzzy Hash: 77c88e8ec031c78e9f5f669662777b041bc02be7332c0620b0cb401410c88b60
                                                                                                                                                            • Instruction Fuzzy Hash: 3371FA72E80725B7E72197558C4AF7B696CEB44B51F114227BF04FA2C1E6B8DC0086EA
                                                                                                                                                            Function 00456323 Relevance: 37.0, APIs: 3, Strings: 18, Instructions: 236registrylibraryloaderCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 642 456323-45634c call 3f1839 645 45636c-456384 GetProcAddress 642->645 646 45634e-456367 call 3f1228 642->646 647 456411-456431 call 44cba8 645->647 648 45638a-45639e GetCurrentProcess call 44beb7 645->648 653 456586-45658a 646->653 656 456444-456446 647->656 657 456433-456439 647->657 658 4563b1-4563b5 648->658 659 4563a0-4563ac 648->659 660 45658c-456595 RegCloseKey 653->660 661 456599-45659d 653->661 663 456448-45644a 656->663 657->656 662 45643b-456442 657->662 658->647 665 4563b7-4563c9 call 45234b 658->665 664 456565-456572 call 3f1228 659->664 660->661 666 4565a7-4565ab 661->666 667 45659f-4565a2 call 3f367f 661->667 662->663 669 45645d-45645f 663->669 670 45644c-456458 663->670 677 456584-456585 664->677 679 4563dc-4563ee call 3f5573 665->679 680 4563cb-4563d7 665->680 667->666 674 456465-45647a call 456232 669->674 675 456523-456535 call 45234b 669->675 670->664 687 45648d-456490 674->687 688 45647c-456488 674->688 685 456545-456557 call 3f5573 675->685 686 456537-456543 675->686 677->653 693 456401-45640f 679->693 694 4563f0-4563fc 679->694 680->664 699 456574-456582 685->699 700 456559-456563 685->700 686->664 691 4564c7-4564d3 call 456232 687->691 692 456492-4564a4 call 3f5573 687->692 688->664 701 4564d8-4564dc 691->701 702 4564b7-4564c5 692->702 703 4564a6-4564b2 692->703 693->647 694->664 699->677 700->664 704 4564ec-4564ef 701->704 705 4564de-4564ea 701->705 702->691 703->664 704->675 706 4564f1-456503 call 3f5573 704->706 705->664 709 456505-456511 706->709 710 456513-456521 706->710 709->664 710->675
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F1839: LoadLibraryExW.KERNEL32(?,00000000,00000800,00000000,?,003F1645,?,?,?,?,?,?,003F115A,cabinet.dll,00000009,?), ref: 003F1855
                                                                                                                                                              • Part of subcall function 003F1839: GetLastError.KERNEL32(?,003F1645,?,?,?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F1866
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00456376
                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000000), ref: 0045638E
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000004,00000001,TEMP,00000000,80000002,System\CurrentControlSet\Control\Session Manager\Environment,00020019,00000000), ref: 0045658F
                                                                                                                                                            Strings
                                                                                                                                                            • SystemTemp, xrefs: 004563BB
                                                                                                                                                            • Failed to ensure array size for Windows\SystemTemp value., xrefs: 004563F0
                                                                                                                                                            • Failed to ensure array size for system TEMP value., xrefs: 00456505
                                                                                                                                                            • GetTempPath2W, xrefs: 0045636E
                                                                                                                                                            • kernel32.dll, xrefs: 0045633E
                                                                                                                                                            • Failed to load kernel32.dll, xrefs: 0045634E
                                                                                                                                                            • Failed to ensure array size for Windows\TEMP value., xrefs: 00456559
                                                                                                                                                            • Failed to open system environment registry key., xrefs: 0045644C
                                                                                                                                                            • TMP, xrefs: 00456469
                                                                                                                                                            • Failed to get system Windows subdirectory path TEMP., xrefs: 00456537
                                                                                                                                                            • Failed to get system Windows subdirectory path SystemTemp., xrefs: 004563CB
                                                                                                                                                            • TEMP, xrefs: 004564CB, 00456527
                                                                                                                                                            • Failed to ensure array size for system TMP value., xrefs: 004564A6
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path3utl.cpp, xrefs: 0045635A, 00456565
                                                                                                                                                            • Failed to get temp path from system TMP., xrefs: 0045647C
                                                                                                                                                            • Failed to check if running as system., xrefs: 004563A0
                                                                                                                                                            • System\CurrentControlSet\Control\Session Manager\Environment, xrefs: 0045641A
                                                                                                                                                            • Failed to get temp path from system TEMP., xrefs: 004564DE
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressCloseCurrentErrorLastLibraryLoadProcProcess
                                                                                                                                                            • String ID: Failed to check if running as system.$Failed to ensure array size for Windows\SystemTemp value.$Failed to ensure array size for Windows\TEMP value.$Failed to ensure array size for system TEMP value.$Failed to ensure array size for system TMP value.$Failed to get system Windows subdirectory path SystemTemp.$Failed to get system Windows subdirectory path TEMP.$Failed to get temp path from system TEMP.$Failed to get temp path from system TMP.$Failed to load kernel32.dll$Failed to open system environment registry key.$GetTempPath2W$SystemTemp$System\CurrentControlSet\Control\Session Manager\Environment$TEMP$TMP$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path3utl.cpp$kernel32.dll
                                                                                                                                                            • API String ID: 1593934338-44121869
                                                                                                                                                            • Opcode ID: eb8a7d87f40c753d68d0354a47fc587d370bb8e4d11d4d55445d728757e22b95
                                                                                                                                                            • Instruction ID: 407c683ec8154646081642ea17fa940e92962554c8697bda8eb14b4b204a248d
                                                                                                                                                            • Opcode Fuzzy Hash: eb8a7d87f40c753d68d0354a47fc587d370bb8e4d11d4d55445d728757e22b95
                                                                                                                                                            • Instruction Fuzzy Hash: 8271DD71BC0725BBEB219650DC4AF6E76649F01B56F620152FE007F2C3E3B89A05CA8D
                                                                                                                                                            Function 0044F5A7 Relevance: 36.8, APIs: 9, Strings: 12, Instructions: 96libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 711 44f5a7-44f5c7 call 3f18c0 714 44f5c9-44f5e5 call 3f1228 711->714 715 44f5ea-44f5f7 call 453be0 711->715 720 44f740-44f744 714->720 719 44f5fc-44f619 GetProcAddress 715->719 721 44f620-44f63d GetProcAddress 719->721 722 44f61b 719->722 725 44f746-44f749 call 3f367f 720->725 726 44f74e-44f752 720->726 723 44f644-44f661 GetProcAddress 721->723 724 44f63f 721->724 722->721 727 44f663 723->727 728 44f668-44f685 GetProcAddress 723->728 724->723 725->726 727->728 730 44f687 728->730 731 44f68c-44f6a9 GetProcAddress 728->731 730->731 732 44f6b0-44f6cd GetProcAddress 731->732 733 44f6ab 731->733 734 44f6d4-44f6f1 GetProcAddress 732->734 735 44f6cf 732->735 733->732 736 44f6f3 734->736 737 44f6f8-44f6ff 734->737 735->734 736->737 738 44f717-44f71e 737->738 739 44f701-44f712 GetProcAddress 737->739 740 44f736 738->740 741 44f720-44f731 GetProcAddress 738->741 739->738 740->720 741->740
                                                                                                                                                            APIs
                                                                                                                                                            • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 0044F607
                                                                                                                                                            • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 0044F62B
                                                                                                                                                            • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 0044F64F
                                                                                                                                                            • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 0044F673
                                                                                                                                                            • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 0044F697
                                                                                                                                                            • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 0044F6BB
                                                                                                                                                            • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 0044F6DF
                                                                                                                                                            • GetProcAddress.KERNEL32(MsiBeginTransactionW), ref: 0044F70C
                                                                                                                                                            • GetProcAddress.KERNEL32(MsiEndTransaction), ref: 0044F72B
                                                                                                                                                            Strings
                                                                                                                                                            • MsiEnumProductsExW, xrefs: 0044F644
                                                                                                                                                            • MsiGetPatchInfoExW, xrefs: 0044F668
                                                                                                                                                            • MsiDeterminePatchSequenceW, xrefs: 0044F5FC
                                                                                                                                                            • MsiSourceListAddSourceExW, xrefs: 0044F6D4
                                                                                                                                                            • MsiBeginTransactionW, xrefs: 0044F701
                                                                                                                                                            • Msi.dll, xrefs: 0044F5B9
                                                                                                                                                            • MsiDetermineApplicablePatchesW, xrefs: 0044F620
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\wiutil.cpp, xrefs: 0044F5D8
                                                                                                                                                            • MsiGetProductInfoExW, xrefs: 0044F68C
                                                                                                                                                            • MsiSetExternalUIRecord, xrefs: 0044F6B0
                                                                                                                                                            • Failed to load Msi.DLL, xrefs: 0044F5C9
                                                                                                                                                            • MsiEndTransaction, xrefs: 0044F720
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressProc
                                                                                                                                                            • String ID: Failed to load Msi.DLL$Msi.dll$MsiBeginTransactionW$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEndTransaction$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\wiutil.cpp
                                                                                                                                                            • API String ID: 190572456-4147843358
                                                                                                                                                            • Opcode ID: 5f1cdac026bd684547e3d8127efa9be04d43cad7ae00b351301b3940a17c86b6
                                                                                                                                                            • Instruction ID: 1de21db0ed2533d4a18ff7b8b24d25ee68300e47c3be605b31336635bf68bebc
                                                                                                                                                            • Opcode Fuzzy Hash: 5f1cdac026bd684547e3d8127efa9be04d43cad7ae00b351301b3940a17c86b6
                                                                                                                                                            • Instruction Fuzzy Hash: F241F770D43208AFE715AF11ED0AB1E3B64AB20756F11097AE10CB92F5E3B91994DB4C
                                                                                                                                                            Function 003F83D7 Relevance: 33.6, APIs: 2, Strings: 20, Instructions: 593COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 866 3f83d7-3f841e EnterCriticalSection call 3f2680 869 3f8444-3f8459 call 3f29c8 866->869 870 3f8420-3f842d 866->870 875 3f845f-3f8471 869->875 876 3f866e-3f867c call 437b40 869->876 871 3f8432-3f843f call 3f1228 870->871 879 3f8a0e-3f8a1c LeaveCriticalSection 871->879 875->871 887 3f8473-3f8487 call 437b40 876->887 888 3f8682-3f869f call 3fb957 876->888 880 3f8a1e-3f8a24 879->880 881 3f8a57-3f8a5c 879->881 885 3f8a26 880->885 886 3f8a51-3f8a52 call 3f55c9 880->886 883 3f8a5e-3f8a5f call 45c1db 881->883 884 3f8a64-3f8a68 881->884 883->884 892 3f8a6a-3f8a6e 884->892 893 3f8a88-3f8a9b call 3f3886 * 3 884->893 894 3f8a28-3f8a2c 885->894 886->881 905 3f848d-3f8497 887->905 906 3f87bb-3f87d8 call 3fb957 887->906 903 3f86a5-3f86b7 888->903 904 3f87f1-3f87f5 call 45c1fc 888->904 897 3f8a78-3f8a7c 892->897 898 3f8a70-3f8a73 call 3f367f 892->898 911 3f8aa0-3f8aa6 893->911 899 3f8a3e-3f8a41 call 3f3886 894->899 900 3f8a2e-3f8a32 894->900 910 3f8a7e-3f8a86 call 3f367f 897->910 897->911 898->897 908 3f8a46-3f8a49 899->908 900->908 909 3f8a34-3f8a3c call 3f367f 900->909 929 3f87fa-3f87ff 904->929 914 3f8499-3f84bb call 3fb957 905->914 915 3f84e5-3f84e7 905->915 906->904 933 3f87da-3f87e7 906->933 908->894 920 3f8a4b-3f8a4e 908->920 909->908 910->911 939 3f8668-3f866b 914->939 940 3f84c1-3f84e0 call 3f1228 914->940 927 3f84e9-3f850a call 3fb957 915->927 928 3f8513-3f8534 call 3fb99a 915->928 920->886 943 3f86bc-3f86c9 927->943 944 3f8510 927->944 946 3f853a-3f854c 928->946 947 3f87a4-3f87b1 928->947 935 3f8833-3f8840 call 45c20c 929->935 936 3f8801-3f8829 call 3f1225 929->936 933->904 952 3f8885-3f888c 935->952 953 3f8842 935->953 936->935 939->876 962 3f8a0b 940->962 957 3f86d3-3f86fb call 3f1225 943->957 944->928 950 3f854e-3f8556 call 3f56c2 946->950 951 3f8563-3f856f call 3f540b 946->951 947->906 950->957 973 3f855c-3f8561 950->973 976 3f8575-3f8579 951->976 977 3f8772-3f879f call 3f1225 951->977 955 3f888e-3f8897 952->955 956 3f88b2-3f88cd call 45c21c 952->956 959 3f8848-3f884b 953->959 960 3f8844-3f8846 953->960 963 3f88ac-3f88b0 955->963 964 3f8899-3f88a8 call 45c20c 955->964 981 3f88cf-3f88d1 956->981 982 3f8947-3f894b 956->982 980 3f8700 957->980 968 3f8851-3f8856 959->968 960->968 962->879 963->955 963->956 988 3f88aa 964->988 989 3f88d9 964->989 974 3f8858-3f885d 968->974 975 3f8860-3f8872 call 3f1225 968->975 973->976 974->975 1003 3f8877-3f887f 975->1003 984 3f857b-3f8582 976->984 985 3f85a1-3f85b7 call 3fb4f2 976->985 977->980 997 3f8706-3f8713 980->997 981->982 990 3f88d3 981->990 991 3f89ff-3f8a04 982->991 992 3f8951-3f896a call 3fb938 982->992 984->985 994 3f8584-3f859f call 3fb99a 984->994 1006 3f85bd-3f85c5 985->1006 1007 3f874b-3f876d call 3f1228 985->1007 988->963 1001 3f88df-3f88e2 989->1001 1002 3f88db-3f88dd 989->1002 998 3f88d5-3f88d7 990->998 999 3f8913-3f8916 990->999 991->962 995 3f8a06-3f8a09 991->995 1019 3f896c-3f8979 992->1019 1020 3f8983-3f899a call 45c21c 992->1020 1013 3f861f-3f8621 994->1013 995->962 1018 3f871d-3f872a 997->1018 1008 3f891c-3f8921 998->1008 999->1008 1010 3f88e8-3f88ed 1001->1010 1002->1010 1003->952 1014 3f85c9-3f85cd 1006->1014 1015 3f85c7 1006->1015 1007->962 1016 3f892b-3f8942 call 3f1225 1008->1016 1017 3f8923-3f8928 1008->1017 1011 3f88ef-3f88f4 1010->1011 1012 3f88f7-3f890e call 3f1225 1010->1012 1011->1012 1012->1003 1025 3f8627-3f8645 call 3fb979 1013->1025 1026 3f8734-3f8741 1013->1026 1027 3f85cf-3f85d1 1014->1027 1028 3f85e9-3f8607 call 3f8b6f 1014->1028 1015->1014 1016->1003 1017->1016 1018->1026 1019->1020 1036 3f899c 1020->1036 1037 3f89d2-3f89e6 call 3fb99a 1020->1037 1025->1018 1043 3f864b-3f8662 call 3fb957 1025->1043 1026->1007 1027->1028 1033 3f85d3-3f85e7 call 3f2eaf 1027->1033 1046 3f861c 1028->1046 1047 3f8609-3f8612 call 3f3089 1028->1047 1051 3f8617-3f8619 1033->1051 1041 3f899e-3f89aa 1036->1041 1042 3f89ac 1036->1042 1037->991 1056 3f89e8-3f89f5 1037->1056 1041->1042 1048 3f89ae-3f89b3 1042->1048 1049 3f89b6-3f89c8 call 3f1225 1042->1049 1043->939 1043->997 1046->1013 1047->1051 1048->1049 1049->1037 1051->1046 1056->991
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,0040A80F,?,?,00000001,00000000,00000008,?,00000000,00000000,?,?), ref: 003F83FF
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(00000000,00000000,?,0045E908,00000000,00000000,00000000,00000008,00000000,00000000,00000008,?,00000000,00000008,?,?), ref: 003F8A11
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                            • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to length of format string.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 3168844106-2252141963
                                                                                                                                                            • Opcode ID: 5b32eebabb9fc7529268e7fb859fbd9dbd55bfa847ed0e12ab8b7b89b8fa8bb9
                                                                                                                                                            • Instruction ID: 84e2d0e27a609269fe82a4a49d33e8f21bb3f429bf60b6eab0df97c6c7e36fdb
                                                                                                                                                            • Opcode Fuzzy Hash: 5b32eebabb9fc7529268e7fb859fbd9dbd55bfa847ed0e12ab8b7b89b8fa8bb9
                                                                                                                                                            • Instruction Fuzzy Hash: 7112C871E4121DBADB16DF948D45FBF7A68DB04B50F25401AFB01FB180EBB49E008BA5
                                                                                                                                                            Function 003F74EE Relevance: 31.7, APIs: 6, Strings: 12, Instructions: 208windowCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 1114 3f74ee-3f7544 call 40a5be 1117 3f756a-3f7579 call 3f4456 1114->1117 1118 3f7546-3f7553 1114->1118 1124 3f758f-3f759d call 40e49c 1117->1124 1125 3f757b-3f758d 1117->1125 1119 3f7558-3f7565 call 3f1228 1118->1119 1126 3f76b8-3f76c3 IsWindow 1119->1126 1133 3f759f-3f75a4 1124->1133 1134 3f75a6-3f75af call 40e4a9 1124->1134 1125->1119 1128 3f76c5-3f76ce PostMessageW 1126->1128 1129 3f76d4-3f76d8 1126->1129 1128->1129 1131 3f76da-3f76e3 1129->1131 1132 3f76e7-3f76ed 1129->1132 1131->1132 1137 3f76ef-3f76f8 1132->1137 1138 3f76fb-3f76fe 1132->1138 1135 3f75d4-3f75ec call 41347d 1133->1135 1140 3f75b4-3f75b8 1134->1140 1150 3f75ee-3f75fb 1135->1150 1151 3f7612-3f762b call 3f2b11 1135->1151 1137->1138 1142 3f770c-3f770e 1138->1142 1143 3f7700-3f7709 1138->1143 1144 3f75ce-3f75d1 1140->1144 1145 3f75ba-3f75cc 1140->1145 1148 3f7717-3f772b call 3f3886 * 2 1142->1148 1149 3f7710 1142->1149 1143->1142 1144->1135 1145->1119 1165 3f772d-3f7730 call 3f367f 1148->1165 1166 3f7735-3f7739 1148->1166 1149->1148 1154 3f7600-3f760d call 3f1228 1150->1154 1162 3f762d-3f763f 1151->1162 1163 3f7641-3f765d call 4137dc 1151->1163 1167 3f76b5 1154->1167 1162->1154 1172 3f765f-3f7674 1163->1172 1173 3f7676-3f768a call 44bf20 1163->1173 1165->1166 1170 3f773b-3f773e call 3f367f 1166->1170 1171 3f7743-3f7749 1166->1171 1167->1126 1170->1171 1175 3f76a8-3f76b2 call 3f1228 1172->1175 1177 3f768f-3f7693 1173->1177 1175->1167 1177->1167 1179 3f7695-3f76a3 1177->1179 1179->1175
                                                                                                                                                            APIs
                                                                                                                                                            • IsWindow.USER32(0045E7C0), ref: 003F76BB
                                                                                                                                                            • PostMessageW.USER32(0045E7C0,00000010,00000000,00000000), ref: 003F76CE
                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003F76DD
                                                                                                                                                            • CloseHandle.KERNEL32(003F7EA1), ref: 003F76F2
                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 003F7703
                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 003F7711
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandle$MessagePostWindow
                                                                                                                                                            • String ID: "%ls" %ls$Failed to allocate full command-line.$Failed to cache to clean room.$Failed to create clean room command-line.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to open clean room log.$Failed to wait for clean room process: %ls$d:\a\wix4\wix4\src\burn\user\user.cpp$msasn1.dll$version.dll$.#v@1#v
                                                                                                                                                            • API String ID: 2982985107-2560174861
                                                                                                                                                            • Opcode ID: 12c316e38666ffe0bd82a423ce985b2f65ac0d1f79f4d76a72f95b908c1fc4e0
                                                                                                                                                            • Instruction ID: a0a8c51cb73ea65b43cd96fbd9bec2da3a251f28d8cca00a43a9aa97967229e3
                                                                                                                                                            • Opcode Fuzzy Hash: 12c316e38666ffe0bd82a423ce985b2f65ac0d1f79f4d76a72f95b908c1fc4e0
                                                                                                                                                            • Instruction Fuzzy Hash: 7961C371E4461DBBDB169BA4CC46FFFBB78AB08710F100125F704B61C1E7B4AA508BA9
                                                                                                                                                            Function 003FEBDB Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 146fileCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 1181 3febdb-3fec0b 1182 3fec0d-3fec2b 1181->1182 1183 3fec80-3fec9e GetCurrentProcess * 2 DuplicateHandle 1181->1183 1184 3fecda-3fecdd 1182->1184 1191 3fec31-3fec3b GetLastError 1182->1191 1183->1184 1185 3feca0-3fecaa GetLastError 1183->1185 1186 3fecdf-3fece5 1184->1186 1187 3fece7-3fece9 1184->1187 1188 3fecac-3fecb5 1185->1188 1189 3fecb7 1185->1189 1192 3feceb-3fecf9 SetFilePointerEx 1186->1192 1187->1192 1188->1189 1193 3fecbe-3fecd8 call 3f1225 1189->1193 1194 3fecb9 1189->1194 1196 3fec3d-3fec46 1191->1196 1197 3fec48 1191->1197 1198 3fed3c-3fed42 1192->1198 1199 3fecfb-3fed05 GetLastError 1192->1199 1207 3fec69-3fec7b call 3f1228 1193->1207 1194->1193 1196->1197 1201 3fec4f-3fec64 call 3f1225 1197->1201 1202 3fec4a 1197->1202 1205 3fed44-3fed48 call 41ee8b 1198->1205 1206 3fed72-3fed78 1198->1206 1203 3fed07-3fed10 1199->1203 1204 3fed12 1199->1204 1201->1207 1202->1201 1203->1204 1209 3fed19-3fed3a call 3f1225 1204->1209 1210 3fed14 1204->1210 1212 3fed4d-3fed51 1205->1212 1207->1206 1219 3fed6a-3fed6f call 3f1228 1209->1219 1210->1209 1212->1206 1216 3fed53-3fed65 1212->1216 1216->1219 1219->1206
                                                                                                                                                            APIs
                                                                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,003FEE16,003F7D9B,?,?,003F7DDB), ref: 003FEC20
                                                                                                                                                            • GetLastError.KERNEL32(?,003FEE16,003F7D9B,?,?,003F7DDB,003F7DDB,00000000,?,00000000), ref: 003FEC31
                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,003FEE16,003F7D9B,?,?,003F7DDB,003F7DDB,00000000,?), ref: 003FEC85
                                                                                                                                                            • GetCurrentProcess.KERNEL32(000000FF,00000000,?,003FEE16,003F7D9B,?,?,003F7DDB,003F7DDB,00000000,?,00000000), ref: 003FEC8F
                                                                                                                                                            • DuplicateHandle.KERNELBASE(00000000,?,003FEE16,003F7D9B,?,?,003F7DDB,003F7DDB,00000000,?,00000000), ref: 003FEC96
                                                                                                                                                            • GetLastError.KERNEL32(?,003FEE16,003F7D9B,?,?,003F7DDB,003F7DDB,00000000,?,00000000), ref: 003FECA0
                                                                                                                                                            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,003FEE16,003F7D9B,?,?,003F7DDB,003F7DDB,00000000,?,00000000), ref: 003FECF1
                                                                                                                                                            • GetLastError.KERNEL32(?,003FEE16,003F7D9B,?,?,003F7DDB,003F7DDB,00000000,?,00000000), ref: 003FECFB
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
                                                                                                                                                            • String ID: @1#v$Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$crypt32.dll$d:\a\wix4\wix4\src\burn\user\container.cpp$feclient.dll
                                                                                                                                                            • API String ID: 2619879409-564776194
                                                                                                                                                            • Opcode ID: 7655a37e8d420a45cc85513be5b6212748fe4d268b4c08755df1a65866db71f0
                                                                                                                                                            • Instruction ID: 23a8a4560568758c53b302b39a41376327daa9022fac71eba3d8bd0f53243d3f
                                                                                                                                                            • Opcode Fuzzy Hash: 7655a37e8d420a45cc85513be5b6212748fe4d268b4c08755df1a65866db71f0
                                                                                                                                                            • Instruction Fuzzy Hash: A0412972640239BBE7224F55CC49FBBBA6CEF04B21F114225FE04AB291E364DC1087E4
                                                                                                                                                            Function 0044A58B Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 99libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 1222 44a58b-44a5a0 call 3f1839 1225 44a5d0 1222->1225 1226 44a5a2-44a5ce GetProcAddress * 2 1222->1226 1227 44a5d5-44a5dc 1225->1227 1226->1227 1228 44a5e6-44a5f9 call 3f1839 1227->1228 1229 44a5de-44a5e0 1227->1229 1234 44a619-44a636 GetProcAddress 1228->1234 1235 44a5fb-44a607 1228->1235 1229->1228 1230 44a6d4 1229->1230 1233 44a6de-44a6e2 1230->1233 1237 44a677-44a694 GetProcAddress 1234->1237 1238 44a638-44a63a 1234->1238 1236 44a60c-44a614 call 3f1228 1235->1236 1236->1233 1237->1230 1239 44a696-44a698 1237->1239 1238->1237 1241 44a63c-44a646 GetLastError 1238->1241 1239->1230 1242 44a69a-44a6a4 GetLastError 1239->1242 1244 44a653 1241->1244 1245 44a648-44a651 1241->1245 1246 44a6a6-44a6af 1242->1246 1247 44a6b1 1242->1247 1248 44a655 1244->1248 1249 44a65a-44a672 call 3f1225 1244->1249 1245->1244 1246->1247 1251 44a6b3 1247->1251 1252 44a6b8-44a6d2 call 3f1225 1247->1252 1248->1249 1255 44a674-44a675 1249->1255 1251->1252 1252->1255 1255->1236
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F1839: LoadLibraryExW.KERNEL32(?,00000000,00000800,00000000,?,003F1645,?,?,?,?,?,?,003F115A,cabinet.dll,00000009,?), ref: 003F1855
                                                                                                                                                              • Part of subcall function 003F1839: GetLastError.KERNEL32(?,003F1645,?,?,?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F1866
                                                                                                                                                            • GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 0044A5AD
                                                                                                                                                            • GetProcAddress.KERNEL32(SystemFunction041), ref: 0044A5C3
                                                                                                                                                            • GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 0044A624
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0044A63C
                                                                                                                                                            • GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 0044A682
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0044A69A
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressProc$ErrorLast$LibraryLoad
                                                                                                                                                            • String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$Failed to load Crypt32.dll$Failed to load a decryption method$Failed to load an encryption method$SystemFunction040$SystemFunction041$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\cryputil.cpp
                                                                                                                                                            • API String ID: 1969025732-402918305
                                                                                                                                                            • Opcode ID: f00aeecd9c8ac2954d82532304bc17a4ba742a0263eb6c71537421c7d3c410a9
                                                                                                                                                            • Instruction ID: 428c35c582f49395b81be16ecc6388fd9cbced96901e12e97fbf5d2bfe083b91
                                                                                                                                                            • Opcode Fuzzy Hash: f00aeecd9c8ac2954d82532304bc17a4ba742a0263eb6c71537421c7d3c410a9
                                                                                                                                                            • Instruction Fuzzy Hash: B431C431EC2321B7F32227516D0AB5E2A5C5710FA1F164967F909BA2E1E27C9C11CB9D
                                                                                                                                                            Function 003F3EC2 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 252sleepfiletimeCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 1257 3f3ec2-3f3f12 1258 3f3f4d-3f3f5b call 3f4dd8 1257->1258 1259 3f3f14-3f3f17 1257->1259 1264 3f3f6e-3f3f83 call 3f3dce 1258->1264 1265 3f3f5d-3f3f6c 1258->1265 1259->1258 1261 3f3f19-3f3f2a call 3f3dce 1259->1261 1269 3f3f2c-3f3f36 1261->1269 1270 3f3f96-3f3fa4 call 3f4601 1261->1270 1264->1270 1275 3f3f85-3f3f94 1264->1275 1267 3f3f3b-3f3f48 call 3f1228 1265->1267 1277 3f4130-3f4134 1267->1277 1269->1267 1278 3f3fd9-3f3fde 1270->1278 1279 3f3fa6-3f3faa call 3f6305 1270->1279 1275->1267 1282 3f413e-3f4142 1277->1282 1283 3f4136-3f4139 call 3f367f 1277->1283 1280 3f3fe8 1278->1280 1281 3f3fe0-3f3fe5 1278->1281 1285 3f3faf-3f3fb3 1279->1285 1286 3f3feb-3f4009 GetLocalTime 1280->1286 1281->1280 1288 3f414c-3f4150 1282->1288 1289 3f4144-3f4147 call 3f367f 1282->1289 1283->1282 1285->1278 1292 3f3fb5-3f3fd4 call 3f1228 1285->1292 1293 3f400b 1286->1293 1294 3f4010-3f4049 call 3f2acf 1286->1294 1290 3f415a-3f415e 1288->1290 1291 3f4152-3f4155 call 3f367f 1288->1291 1289->1288 1298 3f4168-3f4178 call 4367e6 1290->1298 1299 3f4160-3f4163 call 3f367f 1290->1299 1291->1290 1292->1277 1293->1294 1306 3f404f-3f4061 1294->1306 1307 3f4108-3f4112 1294->1307 1299->1298 1310 3f406a-3f406f 1306->1310 1308 3f4117-3f4121 call 3f1228 1307->1308 1316 3f4124-3f4127 1308->1316 1312 3f40d1-3f40d6 1310->1312 1313 3f4071-3f407c GetLastError 1310->1313 1317 3f40fa-3f40ff 1312->1317 1318 3f40d8-3f40e7 call 3f2eaf 1312->1318 1314 3f407e-3f4081 1313->1314 1315 3f4083-3f4091 Sleep 1313->1315 1314->1315 1319 3f409a 1314->1319 1321 3f409d-3f409f 1315->1321 1322 3f4093-3f4098 1315->1322 1316->1277 1323 3f4129 1316->1323 1317->1316 1320 3f4101-3f4106 1317->1320 1318->1317 1330 3f40e9-3f40f8 1318->1330 1319->1321 1320->1316 1325 3f40ac 1321->1325 1326 3f40a1-3f40aa 1321->1326 1322->1321 1323->1277 1328 3f40ae-3f40b0 1325->1328 1329 3f40ba-3f40c7 1325->1329 1326->1325 1328->1312 1331 3f40b2-3f40b5 1328->1331 1329->1312 1330->1308 1331->1286
                                                                                                                                                            APIs
                                                                                                                                                            • GetLocalTime.KERNEL32(00000000,00000000,00000001,0000000C,00000000,?,00000000,00000000,0000000C,00000000,00000000,00000000,00000000,00468FA8,?,00000000), ref: 003F3FF5
                                                                                                                                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 003F4064
                                                                                                                                                            • GetLastError.KERNEL32 ref: 003F4071
                                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 003F4085
                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003F412A
                                                                                                                                                            Strings
                                                                                                                                                            • .#v@1#v, xrefs: 003F412A
                                                                                                                                                            • Failed to concatenate the temp folder and log prefix., xrefs: 003F3F85
                                                                                                                                                            • failed to allocate memory for the temp path, xrefs: 003F4108
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp, xrefs: 003F3F3B, 003F3FC7, 003F4117
                                                                                                                                                            • Failed to copy temp path to return., xrefs: 003F40E9
                                                                                                                                                            • Failed to combine directory and log prefix., xrefs: 003F3F2C
                                                                                                                                                            • Failed to create temp file: %ls, xrefs: 003F40BD
                                                                                                                                                            • %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 003F4037
                                                                                                                                                            • Failed to get temp folder., xrefs: 003F3F5D
                                                                                                                                                            • Failed to ensure temp file path exists: %ls, xrefs: 003F3FB8
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseCreateErrorFileHandleLastLocalSleepTime
                                                                                                                                                            • String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$Failed to combine directory and log prefix.$Failed to concatenate the temp folder and log prefix.$Failed to copy temp path to return.$Failed to create temp file: %ls$Failed to ensure temp file path exists: %ls$Failed to get temp folder.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp$failed to allocate memory for the temp path$.#v@1#v
                                                                                                                                                            • API String ID: 1968021109-2566206112
                                                                                                                                                            • Opcode ID: 546dc994faa074a04dc906e1ee913c6f68cb511621419f0718d9a126ca2f27e1
                                                                                                                                                            • Instruction ID: bd0f21454b0349b3f7cec6c454f2b3324237f3e00c8af512a229847ba08bbb3d
                                                                                                                                                            • Opcode Fuzzy Hash: 546dc994faa074a04dc906e1ee913c6f68cb511621419f0718d9a126ca2f27e1
                                                                                                                                                            • Instruction Fuzzy Hash: 32818F71E4031DBBDB229B95CC46FBFBAB8AB18B11F110125FB00BB2D1D6749D448BA5
                                                                                                                                                            Function 0041E800 Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 232COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CoInitializeEx.OLE32(00000000,00000000), ref: 0041E825
                                                                                                                                                            • CoUninitialize.COMBASE ref: 0041EACD
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InitializeUninitialize
                                                                                                                                                            • String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$d:\a\wix4\wix4\src\burn\user\cabextract.cpp
                                                                                                                                                            • API String ID: 3442037557-242603754
                                                                                                                                                            • Opcode ID: e1938af64bdfa28ba3e38f395d799d2707c16c464ad21aedc752f7a7032f5951
                                                                                                                                                            • Instruction ID: 1c4c2b42c1821051dbb332aa83d2f8ae1bea76331174300de9183a4542404acb
                                                                                                                                                            • Opcode Fuzzy Hash: e1938af64bdfa28ba3e38f395d799d2707c16c464ad21aedc752f7a7032f5951
                                                                                                                                                            • Instruction Fuzzy Hash: DE6169FAE90226B7E31056578C45BFB6198AF84790F254227FD05BF3C0D1AC9C8056DE
                                                                                                                                                            Function 0044B0E2 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 192COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(0048D4F0,00000000,00000000,00000001,0000000C,0000000C,?,0040A885,00000000,00000001,00468FA8,?,00000000,00000000,0000000C,00000000), ref: 0044B0F7
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(0048D4F0,?,0040A885,00000000,00000001,00468FA8,?,00000000,00000000,0000000C,00000000,00000001,00000000,00000000,00000000,00000008), ref: 0044B2F9
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                            • String ID: @1#v$Failed to combine the log path.$Failed to copy log path.$Failed to create log based on current system time.$Failed to ensure log file directory exists: %ls$Failed to expand the log path.$Failed to get log directory.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp$failed to create log file: %ls
                                                                                                                                                            • API String ID: 3168844106-1501804820
                                                                                                                                                            • Opcode ID: 9d9be614adb206af3c40c5550d3220be6860e65b3bd603769801969e0a41afad
                                                                                                                                                            • Instruction ID: 3a348a551deb19a6c4a3bab53a8617b42b930f2ae02ab789b559c00444ffa7e5
                                                                                                                                                            • Opcode Fuzzy Hash: 9d9be614adb206af3c40c5550d3220be6860e65b3bd603769801969e0a41afad
                                                                                                                                                            • Instruction Fuzzy Hash: F251BA71E41318BBFB216F558C4AFAF3669EB14B51F100557F900BA2E1D7B4DD009B98
                                                                                                                                                            Function 0041EE8B Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 123COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,?,00000000,?,?,003FED4D,?,00000000,?,003FEE16), ref: 0041EEC9
                                                                                                                                                            • GetLastError.KERNEL32(?,003FED4D,?,00000000,?,003FEE16,003F7D9B,?,?,003F7DDB,003F7DDB,00000000,?,00000000), ref: 0041EED6
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateErrorEventLast
                                                                                                                                                            • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$d:\a\wix4\wix4\src\burn\user\cabextract.cpp$wininet.dll
                                                                                                                                                            • API String ID: 545576003-3725142438
                                                                                                                                                            • Opcode ID: a7466af586dff08f492e528cffe7d2bdf9ad88fd7ad14cdb562d5b5b493dadc6
                                                                                                                                                            • Instruction ID: 8fdfdb5447cf7b9003ed8b537ca1f00062ef2a02ec42c2cc04e334c220c8c442
                                                                                                                                                            • Opcode Fuzzy Hash: a7466af586dff08f492e528cffe7d2bdf9ad88fd7ad14cdb562d5b5b493dadc6
                                                                                                                                                            • Instruction Fuzzy Hash: BF313976A8073A77E32116664C49FF7645CEB04B60F114123FE44BB281E69CDC4146EC
                                                                                                                                                            Function 003FA0D7 Relevance: 22.7, APIs: 2, Strings: 13, Instructions: 177COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(00000000,003F7D5B,00000000,003F7DDB,?,?,003FB898,00000002,?,8D4BE800,00000000), ref: 003FA0E6
                                                                                                                                                              • Part of subcall function 003F8306: CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,?,003F9840,003F9840,?,003F8154,?,?,00000000), ref: 003F8342
                                                                                                                                                              • Part of subcall function 003F8306: GetLastError.KERNEL32(?,003F8154,?,?,00000000,?,00000000,003F9840,?,003FB468,?,?,?,?,?), ref: 003F8371
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(00000000,?,?,00000000,8D4BE800,00000000), ref: 003FA2AD
                                                                                                                                                            Strings
                                                                                                                                                            • Setting hidden variable '%ls', xrefs: 003FA1C6
                                                                                                                                                            • Setting %ls variable '%ls' to value '%ls', xrefs: 003FA233
                                                                                                                                                            • Unsetting variable '%ls', xrefs: 003FA242
                                                                                                                                                            • Failed to find variable value '%ls'., xrefs: 003FA101
                                                                                                                                                            • Failed to set value of variable: %ls, xrefs: 003FA28D
                                                                                                                                                            • Setting numeric variable '%ls' to value %lld, xrefs: 003FA209
                                                                                                                                                            • formatted, xrefs: 003FA223
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variable.cpp, xrefs: 003FA17D, 003FA29F
                                                                                                                                                            • Attempt to set built-in variable value: %ls, xrefs: 003FA188
                                                                                                                                                            • Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 003FA2BF
                                                                                                                                                            • Failed to insert variable '%ls'., xrefs: 003FA12E
                                                                                                                                                            • Setting version variable '%ls' to value '%ls', xrefs: 003FA1F2
                                                                                                                                                            • string, xrefs: 003FA22A, 003FA232
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$CompareEnterErrorLastLeaveString
                                                                                                                                                            • String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting %ls variable '%ls' to value '%ls'$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%ls'$Unsetting variable '%ls'$d:\a\wix4\wix4\src\burn\user\variable.cpp$formatted$string
                                                                                                                                                            • API String ID: 2716280545-2464245954
                                                                                                                                                            • Opcode ID: 0b2a13e34d73862ea5983511487b989c7b1384fc85e153e111e029c4c35e6578
                                                                                                                                                            • Instruction ID: ea33b9bd404eb57cf92cdb7492dc75a9ee7ecbf1519eb77f36e4c94e3ce78741
                                                                                                                                                            • Opcode Fuzzy Hash: 0b2a13e34d73862ea5983511487b989c7b1384fc85e153e111e029c4c35e6578
                                                                                                                                                            • Instruction Fuzzy Hash: AB513AB0740B08BBDB379E448D4AF773A68DF51B14F120419FB0C6A1D2E2B6D940C6A3
                                                                                                                                                            Function 0040A5BE Relevance: 21.4, APIs: 1, Strings: 13, Instructions: 364sleepCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • Sleep.KERNEL32(000007D0,00000008,?,00000000,00000000,?,?), ref: 0040A749
                                                                                                                                                            Strings
                                                                                                                                                            • Setup, xrefs: 0040A6C2
                                                                                                                                                            • Failed to initialize logging., xrefs: 0040A660
                                                                                                                                                            • Failed to get parent directory from '%ls'., xrefs: 0040A850
                                                                                                                                                            • log, xrefs: 0040A6F5
                                                                                                                                                            • Failed to copy log path to prefix., xrefs: 0040A903
                                                                                                                                                            • Failed to open log: %ls, xrefs: 0040A7C8
                                                                                                                                                            • Failed to copy log extension to extension., xrefs: 0040A930
                                                                                                                                                            • Failed to get non-session specific TEMP folder., xrefs: 0040A8A5
                                                                                                                                                            • Failed to copy log file path from command line., xrefs: 0040A63A
                                                                                                                                                            • Failed to copy default log extension., xrefs: 0040A706
                                                                                                                                                            • Failed to copy full log path to prefix., xrefs: 0040A95B
                                                                                                                                                            • Failed to copy default log prefix., xrefs: 0040A6D3
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\logging.cpp, xrefs: 0040A64C, 0040A66F, 0040A7DA
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Sleep
                                                                                                                                                            • String ID: Failed to copy default log extension.$Failed to copy default log prefix.$Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log file path from command line.$Failed to copy log path to prefix.$Failed to get non-session specific TEMP folder.$Failed to get parent directory from '%ls'.$Failed to initialize logging.$Failed to open log: %ls$Setup$d:\a\wix4\wix4\src\burn\user\logging.cpp$log
                                                                                                                                                            • API String ID: 3472027048-3437580743
                                                                                                                                                            • Opcode ID: 40099ca15ab4a84621a2fe07e46ce48b7ac5cfd24e6fa9de74d4d796b4c0f4ec
                                                                                                                                                            • Instruction ID: 74942e4667b50c954973e9ffbb7dc8ae8cba124e5374431ed887d479b3a10ba5
                                                                                                                                                            • Opcode Fuzzy Hash: 40099ca15ab4a84621a2fe07e46ce48b7ac5cfd24e6fa9de74d4d796b4c0f4ec
                                                                                                                                                            • Instruction Fuzzy Hash: 3DB1E771B40315BAEB229B648C45F6B77B8AF14700F158537F900BB2C1E7B9DD608A9B
                                                                                                                                                            Function 003F4DD8 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 141libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetProcAddress.KERNEL32(00000003,GetTempPath2W), ref: 003F4E74
                                                                                                                                                            • GetTempPathW.KERNELBASE ref: 003F4E98
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressPathProcTemp
                                                                                                                                                            • String ID: Failed to allocate space for temp path.$Failed to get max length of input buffer.$Failed to get temp path.$Failed to load kernel32.dll$Failed to reallocate space for temp path.$GetTempPath2W$GetTempPathW results never converged.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp$kernel32.dll
                                                                                                                                                            • API String ID: 585057242-945536007
                                                                                                                                                            • Opcode ID: b2539b66cff142cbb20d8c8a95a284ae7bbdaec77bb8cae47ba16f9df3a69045
                                                                                                                                                            • Instruction ID: dde47444a1a81cd7c243fc39a501cdda27bb40eddbbb62d207e03cc8444088bf
                                                                                                                                                            • Opcode Fuzzy Hash: b2539b66cff142cbb20d8c8a95a284ae7bbdaec77bb8cae47ba16f9df3a69045
                                                                                                                                                            • Instruction Fuzzy Hash: 38410571E8132DBBDB139A95DC85F7FBA6CEB05711F110076FE05BB282E6749D008694
                                                                                                                                                            Function 0041DE80 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 121fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 0041DEB0
                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0041DEC6
                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 0041DECF
                                                                                                                                                            • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 0041DED6
                                                                                                                                                            • GetLastError.KERNEL32(?,?), ref: 0041DEE0
                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 0041DF7F
                                                                                                                                                            • GetLastError.KERNEL32(?,?), ref: 0041DF8C
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
                                                                                                                                                            • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$d:\a\wix4\wix4\src\burn\user\cabextract.cpp
                                                                                                                                                            • API String ID: 3030546534-373254902
                                                                                                                                                            • Opcode ID: 0127266b4462e8376c5ad1875055f31d7d85cd4bc7bc7272aadf22e27312bcc4
                                                                                                                                                            • Instruction ID: a83f8cc7d58ea0ee444e542e486453b348592169920f341d26085747e62561b3
                                                                                                                                                            • Opcode Fuzzy Hash: 0127266b4462e8376c5ad1875055f31d7d85cd4bc7bc7272aadf22e27312bcc4
                                                                                                                                                            • Instruction Fuzzy Hash: 3A313972D41224B7E7215B969C09FDF7E28EF04B20F114152FE09BF2C1D2A8CA4186E8
                                                                                                                                                            Function 004529EA Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 112COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F1839: LoadLibraryExW.KERNEL32(?,00000000,00000800,00000000,?,003F1645,?,?,?,?,?,?,003F115A,cabinet.dll,00000009,?), ref: 003F1855
                                                                                                                                                              • Part of subcall function 003F1839: GetLastError.KERNEL32(?,003F1645,?,?,?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F1866
                                                                                                                                                            • CoTaskMemFree.OLE32(00000000,00000000,00000000,003F6570,00000000,?,?,?,0045284A,00000000,?,003F6C5C,00000000), ref: 00452B11
                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,00000000,00000000,003F6570,00000000,?,?,?,0045284A,00000000,?,003F6C5C), ref: 00452B20
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeLibrary$ErrorLastLoadTask
                                                                                                                                                            • String ID: Failed to backslash terminate shell folder path: %ls$Failed to copy shell folder path: %ls$Failed to find SHGetKnownFolderPath entry point.$Failed to get known folder path.$Failed to load shell32.dll.$SHGetKnownFolderPath$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\shelutil.cpp$shell32.dll
                                                                                                                                                            • API String ID: 3444712580-2659096373
                                                                                                                                                            • Opcode ID: f7964c4f028522b19e1ed99be3b511a3e6feebd4ff89ae2bf53b4cc1c0bb4fc2
                                                                                                                                                            • Instruction ID: 66aa104d9c38b859ddaebe0dac18e9eda0a2f13a4c21747926d2210a2eee52d1
                                                                                                                                                            • Opcode Fuzzy Hash: f7964c4f028522b19e1ed99be3b511a3e6feebd4ff89ae2bf53b4cc1c0bb4fc2
                                                                                                                                                            • Instruction Fuzzy Hash: 5E31E871E80225F7EB327A919D0AFAF6D68DB85B51F110553FD007E1C2E2F89E40D698
                                                                                                                                                            Function 00412AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 80COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,00000000,00000000,?,?,004134D1,00000000,?), ref: 00412AF3
                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,?,004134D1,00000000,?), ref: 00412AFD
                                                                                                                                                            • DuplicateHandle.KERNELBASE(00000000,?,?,004134D1,00000000,?), ref: 00412B04
                                                                                                                                                            • GetLastError.KERNEL32(?,?,004134D1,00000000,?), ref: 00412B0E
                                                                                                                                                            • CloseHandle.KERNEL32(000000FF,004134D1,00000000,?), ref: 00412BAF
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentHandleProcess$CloseDuplicateErrorLast
                                                                                                                                                            • String ID: -%ls=%Iu$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$d:\a\wix4\wix4\src\burn\user\core.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 4224961946-3878897524
                                                                                                                                                            • Opcode ID: 818de0f66b44dab72b36d3dabebf42cbb651e4e4ae4fff8a2e75f9313d624fc7
                                                                                                                                                            • Instruction ID: af44db14732705353f2e35428da8a2ca81ff455cbcd1e888613a404a382f8fa1
                                                                                                                                                            • Opcode Fuzzy Hash: 818de0f66b44dab72b36d3dabebf42cbb651e4e4ae4fff8a2e75f9313d624fc7
                                                                                                                                                            • Instruction Fuzzy Hash: 4921F835940319F7E7115FA59D4AF9FB76C9F04721F200252FA10FB2D1E2B49E109799
                                                                                                                                                            Function 0044B796 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 89COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • OpenProcessToken.ADVAPI32(003F6570,00000008,00000000,003F6C5C,003F6C78,00000000,003F6570,00000000,?,?,?,?,?,?), ref: 0044B7B4
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0044B7BE
                                                                                                                                                            • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),00000004,00000004,?,?,?,?,?,?,?), ref: 0044B807
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0044B820
                                                                                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 0044B876
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastToken$CloseHandleInformationOpenProcess
                                                                                                                                                            • String ID: Failed to get elevation token from process.$Failed to open process token.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 4040495316-757271117
                                                                                                                                                            • Opcode ID: e8777ea6b39171e08c305956b619932ea7c2548b51572af566d4eaf6fd57ec6c
                                                                                                                                                            • Instruction ID: efa4337155d252eb5e07fdda413220233374ef3c8bde60fb20a05169e8fbff10
                                                                                                                                                            • Opcode Fuzzy Hash: e8777ea6b39171e08c305956b619932ea7c2548b51572af566d4eaf6fd57ec6c
                                                                                                                                                            • Instruction Fuzzy Hash: E821C532D41224B7E7216B569C49BAFBAACDF40750F014067FD04BB291E378CE009AD9
                                                                                                                                                            Function 003F677F Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • InitializeCriticalSection.KERNEL32(003F6C94,00000000,00000000,00000000,?,?,?,003F7B5B,?,?,00000000,?,?,00000003,00000000,003F6570), ref: 003F67AF
                                                                                                                                                            • InitializeCriticalSection.KERNEL32(003F6C28,?,?,?,003F7B5B,?,?,00000000,?,?,00000003,00000000,003F6570,00000000), ref: 003F67BC
                                                                                                                                                            • InitializeCriticalSection.KERNEL32(003F663C,?,?,?,003F7B5B,?,?,00000000,?,?,00000003,00000000,003F6570,00000000), ref: 003F67D3
                                                                                                                                                            • GetCurrentProcess.KERNEL32(003F6CEC,003F6C78,003F6C5C,?,?,?,003F7B5B,?,?,00000000,?,?,00000003,00000000,003F6570,00000000), ref: 003F67F8
                                                                                                                                                              • Part of subcall function 0044B796: OpenProcessToken.ADVAPI32(003F6570,00000008,00000000,003F6C5C,003F6C78,00000000,003F6570,00000000,?,?,?,?,?,?), ref: 0044B7B4
                                                                                                                                                              • Part of subcall function 0044B796: GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0044B7BE
                                                                                                                                                              • Part of subcall function 0044B796: CloseHandle.KERNELBASE(00000000), ref: 0044B876
                                                                                                                                                              • Part of subcall function 0041469C: CompareStringW.KERNEL32(0000007F,00000001,00000002,000000FF,0046E414,000000FF,003F6C5C,003F6C78,003F6570,?,00000000,?), ref: 0041470C
                                                                                                                                                              • Part of subcall function 0041469C: CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,log,000000FF), ref: 0041472F
                                                                                                                                                              • Part of subcall function 0041469C: CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,xlog,000000FF), ref: 00414752
                                                                                                                                                              • Part of subcall function 0041469C: CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,0046E458,000000FF), ref: 00414775
                                                                                                                                                              • Part of subcall function 0041469C: CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,0046E45C,000000FF), ref: 00414798
                                                                                                                                                              • Part of subcall function 0041469C: CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,help,000000FF), ref: 004147BB
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to initialize internal cache functionality., xrefs: 003F687A
                                                                                                                                                            • Fatal error while parsing command line., xrefs: 003F6824
                                                                                                                                                            • Failed to initialize user section., xrefs: 003F684D
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\user.cpp, xrefs: 003F688C
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareString$CriticalInitializeSection$Process$CloseCurrentErrorHandleLastOpenToken
                                                                                                                                                            • String ID: Failed to initialize user section.$Failed to initialize internal cache functionality.$Fatal error while parsing command line.$d:\a\wix4\wix4\src\burn\user\user.cpp
                                                                                                                                                            • API String ID: 268551788-2320754317
                                                                                                                                                            • Opcode ID: 0e7de0d82d9ee1673170d9f05b1ca4ac9eb12dfd0ebe51a12ff4ed7ecdd26cf8
                                                                                                                                                            • Instruction ID: 1ca9d206d2b9e4601450382c1df5d9ec0bc2c575de9e843dbea2d7104cd07e25
                                                                                                                                                            • Opcode Fuzzy Hash: 0e7de0d82d9ee1673170d9f05b1ca4ac9eb12dfd0ebe51a12ff4ed7ecdd26cf8
                                                                                                                                                            • Instruction Fuzzy Hash: BE3143B1941219BADB12DFA5DC86FDB3B6CEF08754F040576FE08EF186E674A5008BA4
                                                                                                                                                            Function 00412BBD Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 71fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,00000000,00000000,?,00000000,?), ref: 00412BF1
                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00412C80
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseCreateFileHandle
                                                                                                                                                            • String ID: -%ls=%Iu$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self$d:\a\wix4\wix4\src\burn\user\core.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 3498533004-1894646234
                                                                                                                                                            • Opcode ID: e27077a5950da292337c1d0a88bd86512d14137223e3e394886e12cecae4f7ad
                                                                                                                                                            • Instruction ID: b8d8acc7046b8b04b7a9b6e6d34a1ccff7a8455e2de8f1c80dbeb0ebfdd3d8e4
                                                                                                                                                            • Opcode Fuzzy Hash: e27077a5950da292337c1d0a88bd86512d14137223e3e394886e12cecae4f7ad
                                                                                                                                                            • Instruction Fuzzy Hash: 0511DA31A80314B7E7311A599D4AF9F3A589B45B71F200342FF14B62D1F2F8456186DA
                                                                                                                                                            Function 0045058B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 51COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CoInitialize.OLE32(00000000), ref: 0045059B
                                                                                                                                                            • CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,0048D6D8,?,00000000,003F7C5D,?,?,?,?,?,?), ref: 004505EA
                                                                                                                                                            • CLSIDFromProgID.OLE32(MSXML.DOMDocument,0048D6D8,?,?,?,?,?,?), ref: 004505FA
                                                                                                                                                            Strings
                                                                                                                                                            • failed to get CLSID for XML DOM, xrefs: 00450606
                                                                                                                                                            • failed to initialize COM, xrefs: 004505AF
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 004505BB
                                                                                                                                                            • Msxml2.DOMDocument, xrefs: 004505E5
                                                                                                                                                            • MSXML.DOMDocument, xrefs: 004505F5
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FromProg$Initialize
                                                                                                                                                            • String ID: MSXML.DOMDocument$Msxml2.DOMDocument$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed to get CLSID for XML DOM$failed to initialize COM
                                                                                                                                                            • API String ID: 4047641309-3267221515
                                                                                                                                                            • Opcode ID: 12e88d7aaff1f415d197c307ba5d8481f4d5e947e23d4fd9270d19bc833ccf14
                                                                                                                                                            • Instruction ID: 150a3e54d095f3c9978202bb8e7dee22c3534648870316330111a6b2d756406f
                                                                                                                                                            • Opcode Fuzzy Hash: 12e88d7aaff1f415d197c307ba5d8481f4d5e947e23d4fd9270d19bc833ccf14
                                                                                                                                                            • Instruction Fuzzy Hash: 60012475F8232836E2213A165C0AB5B1A449760FA3F110827FD09F72C2F2988A4087DD
                                                                                                                                                            Function 00453BE0 Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 135memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,?,00000000,00000001,00000000), ref: 00453C09
                                                                                                                                                            • GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,?,00000000,00000001,00000000), ref: 00453C54
                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 00453C98
                                                                                                                                                            • GetLastError.KERNEL32(?,0045F890,?,00000000,?,00000000,00000000,00000000), ref: 00453CF6
                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 00453D48
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$Global$AllocFree
                                                                                                                                                            • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp$failed to allocate version info for file: %ls$failed to get version info for file: %ls$failed to get version value for file: %ls
                                                                                                                                                            • API String ID: 1145190524-120110023
                                                                                                                                                            • Opcode ID: b3901ceee80d1e0423b306401ac70af5f75b4e484c2a66694a9182b3afa59c8b
                                                                                                                                                            • Instruction ID: 4f044825c9c257549f7243fc0854576e5c5a21e1aecb690bbb9b68251aa94fb1
                                                                                                                                                            • Opcode Fuzzy Hash: b3901ceee80d1e0423b306401ac70af5f75b4e484c2a66694a9182b3afa59c8b
                                                                                                                                                            • Instruction Fuzzy Hash: 33414E72A40329BBE3216A519C01FBF7A7C9F45792F114417FD04BB2C2D278DE0046E9
                                                                                                                                                            Function 00451EC9 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 106COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,00000000,000000FF,00000000,00000005,00000000,00000000,00000005,00000000,00000000,00000000,0000001C), ref: 00451F49
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,0040F669,?,0000001C,00000000,0000001C,?,00000000,WiX\Burn,PackageCache,00000000,0000001C,00000018,00000000), ref: 00451F53
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareErrorLastString
                                                                                                                                                            • String ID: Both paths are required.$Failed to canonicalize wzPath1.$Failed to canonicalize wzPath2.$Failed to compare canonicalized paths.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp
                                                                                                                                                            • API String ID: 1733990998-2188151180
                                                                                                                                                            • Opcode ID: f2f4b58758fc50d08d367a8b57cd35041de6637c93f8df90600da14863ba10fb
                                                                                                                                                            • Instruction ID: f62d7a2299cd5ea5390aa3b466bc2df3c3e5e1c7264d606e1de9ccaa42693e42
                                                                                                                                                            • Opcode Fuzzy Hash: f2f4b58758fc50d08d367a8b57cd35041de6637c93f8df90600da14863ba10fb
                                                                                                                                                            • Instruction Fuzzy Hash: 4B313E73940229BBEB1256858C45FBFBA6CDB41B65F214217FD00BA2E2D3788D00D7AC
                                                                                                                                                            Function 003F6305 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 103COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateDirectoryW.KERNELBASE(00000001,?,00000001,00000000,?,0040ED80,00000000,00000000,?,00000021,00000000,00000000,A0000013,00000000,00000000,00000000), ref: 003F6313
                                                                                                                                                            • GetLastError.KERNEL32(?,0040ED80,00000000,00000000,?,00000021,00000000,00000000,A0000013,00000000,00000000,00000000,00000000,?,00000021,00000000), ref: 003F6321
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                                                            • String ID: cannot find parent path$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp$failed to create path: %ls
                                                                                                                                                            • API String ID: 1375471231-3388094611
                                                                                                                                                            • Opcode ID: c54b3feaa7575227185e803056c76c0c544e56ee1db5bbf40cf4bb5745f57f12
                                                                                                                                                            • Instruction ID: 5ffa8df6fde17f83b599ffb5ca8438fa8e6c83c94be7243dc543c330fd63d703
                                                                                                                                                            • Opcode Fuzzy Hash: c54b3feaa7575227185e803056c76c0c544e56ee1db5bbf40cf4bb5745f57f12
                                                                                                                                                            • Instruction Fuzzy Hash: 4321282AB4033CB3EB332A525C43F3F6A589F51B61F160026FF09EB1A1D265CC4192E5
                                                                                                                                                            Function 003F18C0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 89COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: %ls%ls$Failed to create the fully-qualified path to %ls.$Failed to get the Windows system directory.$Failed to load the library %ls.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp
                                                                                                                                                            • API String ID: 0-242608188
                                                                                                                                                            • Opcode ID: e190f10b53a2060b88ae0b9c59232077677f6bf3db6aef1a27a2231025fd6c37
                                                                                                                                                            • Instruction ID: 83fe87827cdca08e75fa65babba46edc19a0633b41b69407d3353a212577554d
                                                                                                                                                            • Opcode Fuzzy Hash: e190f10b53a2060b88ae0b9c59232077677f6bf3db6aef1a27a2231025fd6c37
                                                                                                                                                            • Instruction Fuzzy Hash: 9D21B471E81318F7DB269B959C16FBF7AA8AF00B51F114055FF04BA281E7B19E00D6D0
                                                                                                                                                            Function 0045061B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 145COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • VariantInit.OLEAUT32(003F7D5B), ref: 00450651
                                                                                                                                                              • Part of subcall function 0044FE01: GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,003F7DDB,?,00450662,00000000,003F7D5B,00000000,?,?,004140B9,?,?,003F7D5B,?), ref: 0044FE1F
                                                                                                                                                              • Part of subcall function 0044FE01: GetLastError.KERNEL32(?,00450662,00000000,003F7D5B,00000000,?,?,004140B9,?,?,003F7D5B,?,?,?,?,?), ref: 0044FE2B
                                                                                                                                                            Strings
                                                                                                                                                            • failed put_validateOnParse, xrefs: 004506B5
                                                                                                                                                            • failed XmlCreateDocument, xrefs: 00450674
                                                                                                                                                            • failed put_resolveExternals, xrefs: 004506F1
                                                                                                                                                            • failed loadXML, xrefs: 00450761
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 00450683, 004506C4
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorHandleInitLastModuleVariant
                                                                                                                                                            • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed XmlCreateDocument$failed loadXML$failed put_resolveExternals$failed put_validateOnParse
                                                                                                                                                            • API String ID: 52713655-3681987369
                                                                                                                                                            • Opcode ID: 61dd6b28967ace7be6c2edd29ed830b3477eb62f675fa3828bf7164f740dd2e2
                                                                                                                                                            • Instruction ID: 5e64834a39f1b64244776f435d33aa00aa6eb0dc3bab0e9fb31cb9889cb91719
                                                                                                                                                            • Opcode Fuzzy Hash: 61dd6b28967ace7be6c2edd29ed830b3477eb62f675fa3828bf7164f740dd2e2
                                                                                                                                                            • Instruction Fuzzy Hash: 5B410635A40318ABDB05DFA8CC45FDE77B5AF48B11F11006AF904FB391EA74AE058B99
                                                                                                                                                            Function 00455F3A Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 125COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,004562A5,00000000,00000000,80000002,00000000,00020019,?,00020019,00000000,00000000,00000000), ref: 00455FBC
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to re-allocate more space for expanded path., xrefs: 00456027
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\env2util.cpp, xrefs: 00455F6B, 00456044, 00456049, 0045605E
                                                                                                                                                            • Failed to expand environment variables in string: %ls, xrefs: 00456052
                                                                                                                                                            • Failed to allocate space for expanded path., xrefs: 00455F98
                                                                                                                                                            • Failed to get max length of input buffer., xrefs: 00455F5F
                                                                                                                                                            • Failed to get max length of written input buffer., xrefs: 00456016
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                            • String ID: Failed to allocate space for expanded path.$Failed to expand environment variables in string: %ls$Failed to get max length of input buffer.$Failed to get max length of written input buffer.$Failed to re-allocate more space for expanded path.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\env2util.cpp
                                                                                                                                                            • API String ID: 1452528299-33012345
                                                                                                                                                            • Opcode ID: ecacc8b1ed0226caa85981ff3ec55a9f9bddae1d7a3af7bb4f2b9569385bc9e0
                                                                                                                                                            • Instruction ID: 989f3f131e0f4fa257665bcc5f13cc16d069e2d714fcbaeb12c0e7090bab1c33
                                                                                                                                                            • Opcode Fuzzy Hash: ecacc8b1ed0226caa85981ff3ec55a9f9bddae1d7a3af7bb4f2b9569385bc9e0
                                                                                                                                                            • Instruction Fuzzy Hash: 4D312772A40A25B7EB325A558C1AF7F79589B01B52F120513FE04FF2C3E2A88D049699
                                                                                                                                                            Function 0044AABF Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 101COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: Failed to concatenate string to pre-init buffer$Failed to get length of raw string$Failed to write output to log: %ls - %hs$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp
                                                                                                                                                            • API String ID: 0-492501437
                                                                                                                                                            • Opcode ID: 241bb4acb475a1959dbcac3835b052f1efb6fb81b6bd8d63a74cbdd606c5e133
                                                                                                                                                            • Instruction ID: 2bb64697988fd74d436cc74e76565ace78a6ff11e1ddf66d8180b520bd5de7b4
                                                                                                                                                            • Opcode Fuzzy Hash: 241bb4acb475a1959dbcac3835b052f1efb6fb81b6bd8d63a74cbdd606c5e133
                                                                                                                                                            • Instruction Fuzzy Hash: 91213E72E80254B7F32196958C4AFBF765DDB40B60F100517F700BA1C1E778AD1087AA
                                                                                                                                                            Function 003F1121 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 53fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000), ref: 003F1136
                                                                                                                                                              • Part of subcall function 003F79D1: lstrlenW.KERNEL32(burn.clean.room,?,?,?,003F1144,?,?,00000000), ref: 003F79EF
                                                                                                                                                              • Part of subcall function 003F79D1: CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,003F1144,?,?,00000000), ref: 003F7A1F
                                                                                                                                                              • Part of subcall function 003F1651: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,003F114D), ref: 003F1658
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?,0EHE`ExE,?), ref: 003F1191
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseCompareCreateFileHandleHeapInformationStringlstrlen
                                                                                                                                                            • String ID: 0EHE`ExE$D:\a\wix4\wix4\src\burn\stub\stub.cpp$Failed to run application.$.#v@1#v
                                                                                                                                                            • API String ID: 4127744429-3808042760
                                                                                                                                                            • Opcode ID: 902d64d3771eb431154131bdb33f7b8ae370ce6943dfee988a9aba32736a51ce
                                                                                                                                                            • Instruction ID: 562d1f68acffcbd8f7f860268acea9361f6f3b99d8224eeb9bdb7382a060a198
                                                                                                                                                            • Opcode Fuzzy Hash: 902d64d3771eb431154131bdb33f7b8ae370ce6943dfee988a9aba32736a51ce
                                                                                                                                                            • Instruction Fuzzy Hash: F101D832A4131CB6EB236A65FC06FBE6B249F05B21F114115FF01BA2C1D6A49914C665
                                                                                                                                                            Function 0044D0CB Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 142stringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • lstrlenW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000003,00000000,00000000,?,?,?,0044CDF4), ref: 0044D224
                                                                                                                                                              • Part of subcall function 003F55C9: GetProcessHeap.KERNEL32(00000000,?,?,?,0041DE2B,?), ref: 003F55D3
                                                                                                                                                              • Part of subcall function 003F55C9: RtlFreeHeap.NTDLL(00000000,?,?,0041DE2B,?), ref: 003F55DA
                                                                                                                                                              • Part of subcall function 003F55C9: GetLastError.KERNEL32(?,?,0041DE2B,?), ref: 003F55E4
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$ErrorFreeLastProcesslstrlen
                                                                                                                                                            • String ID: Failed to allocate buffer for raw registry value.$Failed to expand registry value: %ls$Failed to get size of raw registry value.$Failed to read raw registry value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 1805815496-598890354
                                                                                                                                                            • Opcode ID: e90adfaa0e90ce37c344aea375387a29e5238011eb0ca31d1dced52ea9c9d686
                                                                                                                                                            • Instruction ID: dd9f0c992b2af57c334efb4e97b6b6d088dab3576dbbc5af043d5a262cbad132
                                                                                                                                                            • Opcode Fuzzy Hash: e90adfaa0e90ce37c344aea375387a29e5238011eb0ca31d1dced52ea9c9d686
                                                                                                                                                            • Instruction Fuzzy Hash: 9F41D631E40615BBFF21AE94CC4AF6F76A8AB46754F200056FE01AB280D3F8DD41C799
                                                                                                                                                            Function 00452B2E Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ReadFile.KERNELBASE(?,?,00000000,?,00000000,?), ref: 00452BBF
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileRead
                                                                                                                                                            • String ID: Failed to read from source.$Failed to write to target.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                            • API String ID: 2738559852-3357669501
                                                                                                                                                            • Opcode ID: 648293cee42699b5377ca3da746e0699f34db4598b5398c9e646b5ae11bb6f92
                                                                                                                                                            • Instruction ID: 2ddefb14a2d936b67e352681c4d5203f0d0f52be522bdaf3598c89754cf1ca21
                                                                                                                                                            • Opcode Fuzzy Hash: 648293cee42699b5377ca3da746e0699f34db4598b5398c9e646b5ae11bb6f92
                                                                                                                                                            • Instruction Fuzzy Hash: B241CA31A00269ABDB21DE15CD81BDF73A8AB45742F00406BBD44E7242D7F8DDC89B98
                                                                                                                                                            Function 0041E0A0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 0041E158
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?), ref: 0041E162
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                                                            • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$d:\a\wix4\wix4\src\burn\user\cabextract.cpp
                                                                                                                                                            • API String ID: 2976181284-2861879377
                                                                                                                                                            • Opcode ID: 8ab4d3c90b1bd1a2382bdaf322d4a0bbcb4e0bc37741cc94c299371353d503d6
                                                                                                                                                            • Instruction ID: 4719f257edb4c508ef44fae1fb5973af1f47314c2863c49ff1ce323cf55d8e5a
                                                                                                                                                            • Opcode Fuzzy Hash: 8ab4d3c90b1bd1a2382bdaf322d4a0bbcb4e0bc37741cc94c299371353d503d6
                                                                                                                                                            • Instruction Fuzzy Hash: A131E275A0021AFBCB10CFAADC85EEAB768FB04714F148616FD0497281D374E950CB94
                                                                                                                                                            Function 004565AE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 004565DD, 00456635
                                                                                                                                                            • SOFTWARE\Policies\, xrefs: 004565BE
                                                                                                                                                            • Failed to combine logging path with root path., xrefs: 004565CE
                                                                                                                                                            • Failed to open policy registry key., xrefs: 00456626
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: Failed to combine logging path with root path.$Failed to open policy registry key.$SOFTWARE\Policies\$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
                                                                                                                                                            • API String ID: 0-3658365009
                                                                                                                                                            • Opcode ID: b680f3240cfdf58de34572ad03ea16a3882ef131616ea3a3ee54a43e783bcbba
                                                                                                                                                            • Instruction ID: 57e8aaf6242f43825006930ec8167dce961f8c6d9d6f36489c3d62a8ff4c9e6a
                                                                                                                                                            • Opcode Fuzzy Hash: b680f3240cfdf58de34572ad03ea16a3882ef131616ea3a3ee54a43e783bcbba
                                                                                                                                                            • Instruction Fuzzy Hash: D1110B32A41225B7DB2176948C07F6F7A588B10752FA30012BE04BB183D679CE14D7DE
                                                                                                                                                            Function 0044BF20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 61COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F174A: WaitForSingleObject.KERNEL32(?,*A,00000000,?,0041EA2A,?,000000FF), ref: 003F1756
                                                                                                                                                            • GetExitCodeProcess.KERNELBASE(0045E7E8,00000000), ref: 0044BF6C
                                                                                                                                                            • GetLastError.KERNEL32(?,003F768F,?,000000FF,?,?,?,00000001), ref: 0044BF76
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CodeErrorExitLastObjectProcessSingleWait
                                                                                                                                                            • String ID: Failed to get process return code.$Failed to wait for process to complete.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp
                                                                                                                                                            • API String ID: 1402617016-1146304469
                                                                                                                                                            • Opcode ID: a882b961229210bfbf80da721c3556893e730de3fec44fae7e9cae249be9a112
                                                                                                                                                            • Instruction ID: 88b04da14303535b30b746a9e1437d80d72e64942d32d7ffb21b257f3432ce71
                                                                                                                                                            • Opcode Fuzzy Hash: a882b961229210bfbf80da721c3556893e730de3fec44fae7e9cae249be9a112
                                                                                                                                                            • Instruction Fuzzy Hash: 8B01E532B40229B7EB3229999C09FAF695CDF04751F050527FE08EA291E36CCD419AE9
                                                                                                                                                            Function 00455CB8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • UuidCreate.RPCRT4(?), ref: 00455CDB
                                                                                                                                                            • StringFromGUID2.OLE32(?,00000000,00000027), ref: 00455D02
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateFromStringUuid
                                                                                                                                                            • String ID: Failed to convert guid into string.$UuidCreate failed.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\guidutil.cpp
                                                                                                                                                            • API String ID: 4041566446-2208176607
                                                                                                                                                            • Opcode ID: a3781f30981b258d4c204837f99722e7799f36eab8f0863aab2ca46c17334ed0
                                                                                                                                                            • Instruction ID: ffc2212937426a6a9b6cc0cdf5ad231594b289a48969e59f6908d9a55b5ee210
                                                                                                                                                            • Opcode Fuzzy Hash: a3781f30981b258d4c204837f99722e7799f36eab8f0863aab2ca46c17334ed0
                                                                                                                                                            • Instruction Fuzzy Hash: 1501DB71740708B6E710A6A5DC4EFBFB7A8DB49715F110826FA01FB183E1688D088775
                                                                                                                                                            Function 003F7B87 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 132COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,003F6570,00000000,?,?,?,?,?), ref: 003F7BB5
                                                                                                                                                              • Part of subcall function 0041D137: CloseHandle.KERNEL32(00000000,?,00000001,?,?), ref: 0041D2CD
                                                                                                                                                              • Part of subcall function 0041D137: CloseHandle.KERNEL32(00000000,?), ref: 0041D2E2
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to initialize COM., xrefs: 003F7BC1
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\user.cpp, xrefs: 003F7B31
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandle$Initialize
                                                                                                                                                            • String ID: Failed to initialize COM.$d:\a\wix4\wix4\src\burn\user\user.cpp
                                                                                                                                                            • API String ID: 4100669059-4079876660
                                                                                                                                                            • Opcode ID: 4b4593ed9836ad163676afda8b2f67ccd1978077375d9db278b25b458ca5b3a1
                                                                                                                                                            • Instruction ID: 910c0f22f81b7b5ae249291d900fcfe2bd8989b801b57b6a1c6fac5308e9a98e
                                                                                                                                                            • Opcode Fuzzy Hash: 4b4593ed9836ad163676afda8b2f67ccd1978077375d9db278b25b458ca5b3a1
                                                                                                                                                            • Instruction Fuzzy Hash: 0641A43090522DA6EB36B761CC06BBD72B8AF00309F1541EAA64866582CF749DC9CF96
                                                                                                                                                            Function 00456814 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000006,00000006,00000070,00000000,00000000,00000000,00000000,00000000,?,?,0040C9FA,WiX\Burn,userWorkingDirectory,00000000), ref: 004568C4
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 00456845, 004568A5
                                                                                                                                                            • Failed to open policy key: %ls, name: %ls, xrefs: 00456896
                                                                                                                                                            • Failed to open policy key: %ls, xrefs: 00456839
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Failed to open policy key: %ls$Failed to open policy key: %ls, name: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
                                                                                                                                                            • API String ID: 3535843008-3938230626
                                                                                                                                                            • Opcode ID: c4af36011afc0abea3f61d944529cfb35210cf8b96de0383d5c5165a0d59cdf6
                                                                                                                                                            • Instruction ID: 548729c728efd3ba0800c736d89ca5c39f7cc56ee758f74149788c130c261c5f
                                                                                                                                                            • Opcode Fuzzy Hash: c4af36011afc0abea3f61d944529cfb35210cf8b96de0383d5c5165a0d59cdf6
                                                                                                                                                            • Instruction Fuzzy Hash: 6D21F732902329FBEB327ED08C46BAF76249F00752F524136FE042B192D3794D58D699
                                                                                                                                                            Function 0045672F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,0000001C,?,?,0040F5CE,WiX\Burn,PackageCache,00000000,0000001C), ref: 004567D9
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 00456760, 004567BA
                                                                                                                                                            • Failed to open policy key: %ls, name: %ls, xrefs: 004567AE
                                                                                                                                                            • Failed to open policy key: %ls, xrefs: 00456754
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Failed to open policy key: %ls$Failed to open policy key: %ls, name: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
                                                                                                                                                            • API String ID: 3535843008-3938230626
                                                                                                                                                            • Opcode ID: 56312e8ad571a1498aabb146cf2ff16738046dce6d70937bdb39c8caf7fae671
                                                                                                                                                            • Instruction ID: 366fcfaf61fa2952a425cc9edecdab40c36d8c7ebbb451f6cfee948103e62fac
                                                                                                                                                            • Opcode Fuzzy Hash: 56312e8ad571a1498aabb146cf2ff16738046dce6d70937bdb39c8caf7fae671
                                                                                                                                                            • Instruction Fuzzy Hash: 9F210A32501225FBEF226ED0CC46BAFBA649F04756F534427FE002B192D3B94D18D699
                                                                                                                                                            Function 004137DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77processCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,003F7659,?,?,00000001,00000000,00000000), ref: 00413844
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,003F7659,?,?,00000001,00000000,00000000), ref: 0041384A
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateErrorLastProcess
                                                                                                                                                            • String ID: CreateProcessW failed with return code: %d$d:\a\wix4\wix4\src\burn\user\core.cpp
                                                                                                                                                            • API String ID: 2919029540-2527134587
                                                                                                                                                            • Opcode ID: 4f70d47fd74d616528329d9404591101ea7b1314f6638e045848a6962ef3f725
                                                                                                                                                            • Instruction ID: 8f072bd912d0c9766989eb4cd36fb44b0337ff0fe315aa1f252599c6c04d7c10
                                                                                                                                                            • Opcode Fuzzy Hash: 4f70d47fd74d616528329d9404591101ea7b1314f6638e045848a6962ef3f725
                                                                                                                                                            • Instruction Fuzzy Hash: D511D276900259B7EB216F528C49EDF7E7CDFC4B55F050026FE04AB240E2789D51CAB8
                                                                                                                                                            Function 0041DFF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 0041EB41: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,0041E01F,?,?,?), ref: 0041EB69
                                                                                                                                                              • Part of subcall function 0041EB41: GetLastError.KERNEL32(?,0041E01F,?,?,?), ref: 0041EB73
                                                                                                                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 0041E02D
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041E037
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLast$PointerRead
                                                                                                                                                            • String ID: Failed to read during cabinet extraction.$d:\a\wix4\wix4\src\burn\user\cabextract.cpp
                                                                                                                                                            • API String ID: 2170121939-336985225
                                                                                                                                                            • Opcode ID: b38e3e9eba6cf70b3ceee92a3e469db75c4151e360fa93924a530b43e883a43d
                                                                                                                                                            • Instruction ID: 81b1fa902fba0ae61a259fccb36b834cf9fcf85033297ec245743b82aa88b078
                                                                                                                                                            • Opcode Fuzzy Hash: b38e3e9eba6cf70b3ceee92a3e469db75c4151e360fa93924a530b43e883a43d
                                                                                                                                                            • Instruction Fuzzy Hash: 5111E776A40239BBCB119F56DC49E8B7F68FF087A0F014555FE08AB291D275D91086D8
                                                                                                                                                            Function 00453F70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • WriteFile.KERNELBASE(?,00000000,00000000,0040CE5F,00000000,00000000,00000000,?,?,?,00452BE6,?,?,?), ref: 00453F95
                                                                                                                                                            • GetLastError.KERNEL32(?,?,00452BE6,?,?,?), ref: 00453F9F
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                            • String ID: Failed to write data to file handle.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                            • API String ID: 442123175-1082378667
                                                                                                                                                            • Opcode ID: cdf30ebe6da121a93260fa99e19ea76bcc1906ccd2e5f05cdb624150394bdd03
                                                                                                                                                            • Instruction ID: 8a2e75cddefff288c6b2ac7534be6bbb893c4d7dce544a54955d9e61d7bd2173
                                                                                                                                                            • Opcode Fuzzy Hash: cdf30ebe6da121a93260fa99e19ea76bcc1906ccd2e5f05cdb624150394bdd03
                                                                                                                                                            • Instruction Fuzzy Hash: 48019273A40228BBD7119E999C85FAFB67C9B50B92F11002AFE04E7282D668DE0456E4
                                                                                                                                                            Function 004539DD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0040CE21,?,00000000,00000000,00000000,00000000), ref: 004539F5
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,0040CE21,?,00000000,00000000,00000000,00000000), ref: 004539FF
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                                                            • String ID: Failed to set file pointer.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                            • API String ID: 2976181284-4026511950
                                                                                                                                                            • Opcode ID: 107cf8f36c03756474be8ec6722165d1c7f1faa6794ef8e0c755355c85e1aa5a
                                                                                                                                                            • Instruction ID: b3282dca59ea9c2eb9e4fa7e7e8241ea989c1a3048baf732c8e18a8dce0deb04
                                                                                                                                                            • Opcode Fuzzy Hash: 107cf8f36c03756474be8ec6722165d1c7f1faa6794ef8e0c755355c85e1aa5a
                                                                                                                                                            • Instruction Fuzzy Hash: A601B576A01129BBDB219F45DC45EAF7A6CDF457A2F01402AFD08AB291E334DE10D6A4
                                                                                                                                                            Function 0041EB41 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,0041E01F,?,?,?), ref: 0041EB69
                                                                                                                                                            • GetLastError.KERNEL32(?,0041E01F,?,?,?), ref: 0041EB73
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                                                            • String ID: Failed to move to virtual file pointer.$d:\a\wix4\wix4\src\burn\user\cabextract.cpp
                                                                                                                                                            • API String ID: 2976181284-2079782632
                                                                                                                                                            • Opcode ID: a73bd147b14884694d386127c7845d22d8fdcc256f391a77a8bf389adee9491b
                                                                                                                                                            • Instruction ID: a7d86aaca82cdee910ffbef9061afdbfdfc20319cd8f8035bde4984d2368e013
                                                                                                                                                            • Opcode Fuzzy Hash: a73bd147b14884694d386127c7845d22d8fdcc256f391a77a8bf389adee9491b
                                                                                                                                                            • Instruction Fuzzy Hash: 0301D27664023A77D7214A579C08EABFA2CEF017B0F018126FE18AB251D629EC2097D8
                                                                                                                                                            Function 00409FD1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000000,00000000,00000002,00000002,?,0040A612,00000008,?), ref: 0040A072
                                                                                                                                                            Strings
                                                                                                                                                            • SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00409FE8
                                                                                                                                                            • Logging, xrefs: 00409FFF
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer
                                                                                                                                                            • API String ID: 3535843008-387823766
                                                                                                                                                            • Opcode ID: 614b6b3ff6580a2e82784136954ee688d54658a9c56ce48ca1158027e519e328
                                                                                                                                                            • Instruction ID: f5ce468ce1efaf29c93054aed05dc7969193815c0762b1713f0ad05172ada99e
                                                                                                                                                            • Opcode Fuzzy Hash: 614b6b3ff6580a2e82784136954ee688d54658a9c56ce48ca1158027e519e328
                                                                                                                                                            • Instruction Fuzzy Hash: 1411787554030DABEB34AE20C842BBF7768AB05711FA00077E901FB2C1D67C9F51C25A
                                                                                                                                                            Function 0044CBC2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegOpenKeyExW.KERNELBASE(?,0044CBBE,00000000,00000000,00000003,00000000,?,?,00456603,80000002,00000000,00020019,00000000,00000000,SOFTWARE\Policies\,00000000), ref: 0044CBED
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 0044CC1C, 0044CC22, 0044CC39
                                                                                                                                                            • Failed to open registry key, root: %x, subkey: %ls., xrefs: 0044CC2E
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Open
                                                                                                                                                            • String ID: Failed to open registry key, root: %x, subkey: %ls.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 71445658-2584571730
                                                                                                                                                            • Opcode ID: 189de66d6954a27c01ffb5771420b466636e5809ded0d81a914945a58cafa20e
                                                                                                                                                            • Instruction ID: e5fda2a87125c747c8de42b076172433830a97d98017403e2a99023807c0ddbb
                                                                                                                                                            • Opcode Fuzzy Hash: 189de66d6954a27c01ffb5771420b466636e5809ded0d81a914945a58cafa20e
                                                                                                                                                            • Instruction Fuzzy Hash: D0012676101159B6FB211A078CC9EAF3A5ADBC43A0F194026FE088B350D6398C5197BC
                                                                                                                                                            Function 003F7B61 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003F80F4
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to initialize user state., xrefs: 003F7B61
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\user.cpp, xrefs: 003F7B31
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Uninitialize
                                                                                                                                                            • String ID: Failed to initialize user state.$d:\a\wix4\wix4\src\burn\user\user.cpp
                                                                                                                                                            • API String ID: 3861434553-3105230827
                                                                                                                                                            • Opcode ID: 8e3b04386070cea6b92da4e1f35fe0a1a776fe535e7ad7136dd78211ec3e5bef
                                                                                                                                                            • Instruction ID: 2a29d4b344cc3d8142bff24168984a5160417bcf8fedfc1a342d11d8e9e5f5ca
                                                                                                                                                            • Opcode Fuzzy Hash: 8e3b04386070cea6b92da4e1f35fe0a1a776fe535e7ad7136dd78211ec3e5bef
                                                                                                                                                            • Instruction Fuzzy Hash: C541973090522D96EF36B761CC06BBD72B8AF00309F1945EBA648665C2DF748DC9CF96
                                                                                                                                                            Function 003F7BE6 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003F80F4
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to initialize Cryputil., xrefs: 003F7BE6
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\user.cpp, xrefs: 003F7B31
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Uninitialize
                                                                                                                                                            • String ID: Failed to initialize Cryputil.$d:\a\wix4\wix4\src\burn\user\user.cpp
                                                                                                                                                            • API String ID: 3861434553-397782128
                                                                                                                                                            • Opcode ID: ed1c24e454990001c3e3ad9b4753bb630383178cfa29021d5b88ab84348da8de
                                                                                                                                                            • Instruction ID: 0daace282a9a18034485381fc52b88c9a62fbc675d1718d45e55470c88e7c5ae
                                                                                                                                                            • Opcode Fuzzy Hash: ed1c24e454990001c3e3ad9b4753bb630383178cfa29021d5b88ab84348da8de
                                                                                                                                                            • Instruction Fuzzy Hash: 5B41973090522D96EF36B761CC06BBD72B8AF00309F1945EBA648665C2DF748DC9CF96
                                                                                                                                                            Function 003F7C13 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003F80F4
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\user.cpp, xrefs: 003F7B31
                                                                                                                                                            • Failed to initialize Regutil., xrefs: 003F7C13
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Uninitialize
                                                                                                                                                            • String ID: Failed to initialize Regutil.$d:\a\wix4\wix4\src\burn\user\user.cpp
                                                                                                                                                            • API String ID: 3861434553-4164290783
                                                                                                                                                            • Opcode ID: 27569c2c1f112d4921ca51c36bc205271c96ee7079537ed9f694b11399e5295c
                                                                                                                                                            • Instruction ID: 1cb4d05aac7c838b1678f599ea7a1e1a88f33bb3297be1200bad52fbd880da4e
                                                                                                                                                            • Opcode Fuzzy Hash: 27569c2c1f112d4921ca51c36bc205271c96ee7079537ed9f694b11399e5295c
                                                                                                                                                            • Instruction Fuzzy Hash: EB41863090522D96EF36B761CC06BBD72B8AF00309F1945ABA648665C2DF748DC9CF96
                                                                                                                                                            Function 003F7B1F Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003F80F4
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to parse command line., xrefs: 003F7B1F
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\user.cpp, xrefs: 003F7B31
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Uninitialize
                                                                                                                                                            • String ID: Failed to parse command line.$d:\a\wix4\wix4\src\burn\user\user.cpp
                                                                                                                                                            • API String ID: 3861434553-3869882359
                                                                                                                                                            • Opcode ID: 5b844c5bb8ac182202cd6c2b54cb00908adc1eefb5ad17158b0d2862b42928d4
                                                                                                                                                            • Instruction ID: 612a502ebde8ee8516c6e7421ddc9b5e7df5ce8511b62087a50f5a84a23b3df7
                                                                                                                                                            • Opcode Fuzzy Hash: 5b844c5bb8ac182202cd6c2b54cb00908adc1eefb5ad17158b0d2862b42928d4
                                                                                                                                                            • Instruction Fuzzy Hash: 5D41973090522D96EF36B761CC06BBD72B8AF00309F1945EBA648665C2DF349DC9CF96
                                                                                                                                                            Function 003F55C9 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,?,0041DE2B,?), ref: 003F55D3
                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,?,0041DE2B,?), ref: 003F55DA
                                                                                                                                                            • GetLastError.KERNEL32(?,?,0041DE2B,?), ref: 003F55E4
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$ErrorFreeLastProcess
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 406640338-0
                                                                                                                                                            • Opcode ID: 001e001b18e41bd91e3d447c5ae01867f8cf7688b8764394f0ef04d6a295f69d
                                                                                                                                                            • Instruction ID: b4d4969cc3215fe1da9ed01e59d6e3f9c5335fcddc6e41aeb1c1fbce0f9ec654
                                                                                                                                                            • Opcode Fuzzy Hash: 001e001b18e41bd91e3d447c5ae01867f8cf7688b8764394f0ef04d6a295f69d
                                                                                                                                                            • Instruction Fuzzy Hash: AFD0CD7350163963422117D75C085577E6CDF016A2B024171FF09D7115C521CD0082D4
                                                                                                                                                            Function 0043E644 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,0043E63E,00000000,?,?,NC,1490980C,?,0043E74E), ref: 0043E655
                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,0043E63E,00000000,?,?,NC,1490980C,?,0043E74E), ref: 0043E65C
                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0043E66E
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                            • Opcode ID: 495783b6298ad87dd732b91e81af5af9ce0177d0eebd6daa753a1bf449e56685
                                                                                                                                                            • Instruction ID: ea3804615c2194fdce6e667e08e3bfbb80b36e767ecd47ceea8a44bbe732750f
                                                                                                                                                            • Opcode Fuzzy Hash: 495783b6298ad87dd732b91e81af5af9ce0177d0eebd6daa753a1bf449e56685
                                                                                                                                                            • Instruction Fuzzy Hash: 21D09E31001604BFDF052F63DC0E95D3F2AAF54346F805165B905461B2DF39DA52DA8D
                                                                                                                                                            Function 0044AC32 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 28COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CloseHandle.KERNELBASE(FFFFFFFF,?,0044B428,00000000,00000000,?,003F8106), ref: 0044AC55
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                            • String ID: .#v@1#v
                                                                                                                                                            • API String ID: 2962429428-773301876
                                                                                                                                                            • Opcode ID: c76f6f9466fec5a5dbc74d342997e25e3121c5f70c38aedbcf1e71e2ec5cca26
                                                                                                                                                            • Instruction ID: 870c40f8005b1ea4dd2d0ea1eea0b25e2fc70482d45d03c8c38e45e6a0845810
                                                                                                                                                            • Opcode Fuzzy Hash: c76f6f9466fec5a5dbc74d342997e25e3121c5f70c38aedbcf1e71e2ec5cca26
                                                                                                                                                            • Instruction Fuzzy Hash: CDF05430D8020467E720EB79DECDB1A33995711732F580B29E020CA2E0D738E854CB2E
                                                                                                                                                            Function 0041DDD0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CloseHandle.KERNELBASE(000000FF,?,?), ref: 0041DE0C
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                            • String ID: .#v@1#v
                                                                                                                                                            • API String ID: 2962429428-773301876
                                                                                                                                                            • Opcode ID: 9b760f30a9feb9705dca9bc6640a092699fe4ffefedd093939815591a379da16
                                                                                                                                                            • Instruction ID: 7a0246c583fc5ae7a410befe7d21ff5734cd8e989d22213d12c9d76768381629
                                                                                                                                                            • Opcode Fuzzy Hash: 9b760f30a9feb9705dca9bc6640a092699fe4ffefedd093939815591a379da16
                                                                                                                                                            • Instruction Fuzzy Hash: 35F039716007049FDB109F69D848F9A3BA4AB18376F0582A8E9198B2B2C738D990CA54
                                                                                                                                                            Function 0044B3F2 Relevance: 2.5, APIs: 2, Instructions: 17COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(0048D4F0,00000000,00000000,?,0044A9A3,?,?,?,00000000,0000FDE9,?,003F7B05,00000003), ref: 0044B3FD
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(0048D4F0,?,?,0044A9A3,?,?,?,00000000,0000FDE9,?,003F7B05,00000003), ref: 0044B40E
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3168844106-0
                                                                                                                                                            • Opcode ID: 1710c1c10c817fdfe11a2f799c0fe8598825137cfa94c14a9f673466d9ec3a52
                                                                                                                                                            • Instruction ID: 3656f438f4656b7155c52a5e1f6890a14661ab43814d0baa67d492201f7f1c9a
                                                                                                                                                            • Opcode Fuzzy Hash: 1710c1c10c817fdfe11a2f799c0fe8598825137cfa94c14a9f673466d9ec3a52
                                                                                                                                                            • Instruction Fuzzy Hash: 5BD0C93264021467860427ABBC08C9EFBACDEA6AB27044477FA04D21369A75F91196A9
                                                                                                                                                            Function 0044C287 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegQueryValueExW.KERNELBASE(?,?,0044D0F5,00000000,00000000,?,?,00000000,00000003,00000000,00000000,?,?,?,0044CDF4,00000000), ref: 0044C2F7
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: QueryValue
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3660427363-0
                                                                                                                                                            • Opcode ID: c33a21a11644ad37cb29ac2421d38c95d375faa1c2923c84048218ed0f4bfea6
                                                                                                                                                            • Instruction ID: b8aefa97ae648a7de33594dfdc2367d7f2fa70820f7b692efc254efba989de71
                                                                                                                                                            • Opcode Fuzzy Hash: c33a21a11644ad37cb29ac2421d38c95d375faa1c2923c84048218ed0f4bfea6
                                                                                                                                                            • Instruction Fuzzy Hash: 2C21D231A0122AEBEB158E55CC80A6F37B6EF84300F28C167ED05AB264DB35DD029B94
                                                                                                                                                            Function 00441059 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000008,?,?,?,00440BD7,00000001,00000364,?,00000006,000000FF), ref: 0044109A
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                            • Opcode ID: 122618cfa4c4dee5465fcc6513c3e6cc93ce29e1c90b54223efa22f2424829f2
                                                                                                                                                            • Instruction ID: 1bf483320c2118538129399ad0d343833d47985c0599b641c62b5b129eb05eb7
                                                                                                                                                            • Opcode Fuzzy Hash: 122618cfa4c4dee5465fcc6513c3e6cc93ce29e1c90b54223efa22f2424829f2
                                                                                                                                                            • Instruction Fuzzy Hash: E9F0B431A051606AFB316E279C01B6B37989F417B0F148127A818A6AA0CA38D8C186AD
                                                                                                                                                            Function 0044B41C Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 0044AC32: CloseHandle.KERNELBASE(FFFFFFFF,?,0044B428,00000000,00000000,?,003F8106), ref: 0044AC55
                                                                                                                                                            • DeleteCriticalSection.KERNEL32(0048D4F0,00000000,00000000,?,003F8106,00000000,?,?,?,?), ref: 0044B437
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseCriticalDeleteHandleSection
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1370521891-0
                                                                                                                                                            • Opcode ID: 759367a3dc0d780d31f864d36894f95b3296d06fa593b696b3d0f9f757032c81
                                                                                                                                                            • Instruction ID: 6241522134a24a0bc56762ca991289c9f271e1418a256aacfb61fe249d69b415
                                                                                                                                                            • Opcode Fuzzy Hash: 759367a3dc0d780d31f864d36894f95b3296d06fa593b696b3d0f9f757032c81
                                                                                                                                                            • Instruction Fuzzy Hash: 19F0AF70D02214BBDA11BF65ED45D1A7B9DE614B98300483FB900C62A2DB74DA10CBE9
                                                                                                                                                            Function 0045C44D Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 0045C4F6: RtlAcquireSRWLockExclusive.NTDLL ref: 0045C513
                                                                                                                                                            • DloadProtectSection.DELAYIMP ref: 0045C475
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AcquireDloadExclusiveLockProtectSection
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3680172570-0
                                                                                                                                                            • Opcode ID: 0dbfba34db5bc704e74f7be791e927e328ba6fed69592c2710628bb68b01a047
                                                                                                                                                            • Instruction ID: 1ce4917b8f95935880ec5e57c942018da65881a1394b3d2b688e4cad9cba6c14
                                                                                                                                                            • Opcode Fuzzy Hash: 0dbfba34db5bc704e74f7be791e927e328ba6fed69592c2710628bb68b01a047
                                                                                                                                                            • Instruction Fuzzy Hash: 21D0C7745413405DD711677458D5F6933A0B31634BF501D2FB941951E3CB6C444A571E
                                                                                                                                                            Function 0045C16B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C183
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: 21d128193661262929aa124894715a8930279da9fb5e0251d09ef11000ded2d2
                                                                                                                                                            • Instruction ID: 2cb624058554eb98da58729829e46d625db32d2b3d00f3f52c4ef6883ab5826a
                                                                                                                                                            • Opcode Fuzzy Hash: 21d128193661262929aa124894715a8930279da9fb5e0251d09ef11000ded2d2
                                                                                                                                                            • Instruction Fuzzy Hash: 7AB09285298202BE310431125D8683E1218C482B16330AC1BB800C004395CC5889013F
                                                                                                                                                            Function 0045C1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: 080b7be0553af38ea51433045202a7f69a9ec254dd6ee001b358738acd503860
                                                                                                                                                            • Instruction ID: 928d051c6f69b00c7c7d256cf9ac304e043da0a30f733cabceaa658c25575a63
                                                                                                                                                            • Opcode Fuzzy Hash: 080b7be0553af38ea51433045202a7f69a9ec254dd6ee001b358738acd503860
                                                                                                                                                            • Instruction Fuzzy Hash: 64B09285258202FE31042102598293E0608C0C1B12330AC1FB800C4083D8CD0959013F
                                                                                                                                                            Function 0045C1F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: c61839ac8339b195af3c90651e7cb033ddcdf424af7a9a4b2ca4b1bf3846255d
                                                                                                                                                            • Instruction ID: 661a627e7d025112eab2c14d234469b761dee19875d67d88a9ca23247871d77b
                                                                                                                                                            • Opcode Fuzzy Hash: c61839ac8339b195af3c90651e7cb033ddcdf424af7a9a4b2ca4b1bf3846255d
                                                                                                                                                            • Instruction Fuzzy Hash: 1BB01285358202EE310471175C42E3F060CC0C2B12330AC2FB900C4143D8CD0D5D023F
                                                                                                                                                            Function 0045C18C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C183
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: eb3b5022c3d78d50aaf3ca216e5067d4b4065d1e0f5e62941e873de6bdd47e7d
                                                                                                                                                            • Instruction ID: c9696a538300d6766a03ed9f116d0d60422b9715da8ce560e221a2483595f5e4
                                                                                                                                                            • Opcode Fuzzy Hash: eb3b5022c3d78d50aaf3ca216e5067d4b4065d1e0f5e62941e873de6bdd47e7d
                                                                                                                                                            • Instruction Fuzzy Hash: 00B012C5298202AE311471065D42F3F114CD4C3B12330AC1FB800C4183D5CD5C49123F
                                                                                                                                                            Function 0045C19C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C183
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: 2953862999bf92c533846b2346e45c0cabbf77da6d6c3d117c39eeaf46839547
                                                                                                                                                            • Instruction ID: 4393a5ba72bc1c4cf31210dea8ad2efd46b959b1fafb7695bffcd86f6a289e94
                                                                                                                                                            • Opcode Fuzzy Hash: 2953862999bf92c533846b2346e45c0cabbf77da6d6c3d117c39eeaf46839547
                                                                                                                                                            • Instruction Fuzzy Hash: 22B012C5298202EE311471069E42E3F114CC4C2B12330EC1FB800C8143D5CE5C4A123F
                                                                                                                                                            Function 0045C246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: 281a96aba8c8a4a67ca0369a9e4e08cfba19190bb422b654f3a87bb3e1676630
                                                                                                                                                            • Instruction ID: 43b97b3dc7dda55c3d3d732f460d64b66c5b56d925ead5e12fb62b23dc1d3cf8
                                                                                                                                                            • Opcode Fuzzy Hash: 281a96aba8c8a4a67ca0369a9e4e08cfba19190bb422b654f3a87bb3e1676630
                                                                                                                                                            • Instruction Fuzzy Hash: D2B01285358312EE320471075C42D3F020CC0C1B12330AD1FB800C4143D8CD0D9E223F
                                                                                                                                                            Function 0045C256 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: 330cfd37d6286b3290b36c86435082cc636df47f3d5df491c0e7dcdaa9f84bec
                                                                                                                                                            • Instruction ID: 8a2ecb2782d93f779d750ed4f11ddcb52dbfe1039468609395470603a52a8785
                                                                                                                                                            • Opcode Fuzzy Hash: 330cfd37d6286b3290b36c86435082cc636df47f3d5df491c0e7dcdaa9f84bec
                                                                                                                                                            • Instruction Fuzzy Hash: D8B01285358212EF310471075C42E3F020CC0C2B12330AC1FF800C4143D8CD0D5A123F
                                                                                                                                                            Function 0045C266 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: 9e6b64553098785a91f0736a0a1017fff8a1317c3a550d3d0d1a1ad8add8d259
                                                                                                                                                            • Instruction ID: 1ad80b8779d250d1da60529e1b1eb34ce4ad13786826c2c7bba5c96be76535bd
                                                                                                                                                            • Opcode Fuzzy Hash: 9e6b64553098785a91f0736a0a1017fff8a1317c3a550d3d0d1a1ad8add8d259
                                                                                                                                                            • Instruction Fuzzy Hash: 28B09285258202AE32046106684693E0248C481B12330A91BB800C4143988D0999223F
                                                                                                                                                            Function 0045C276 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: a665b9e86b172b0729f54b2211702d1aaccade168760a7eb2735be124fecb6f3
                                                                                                                                                            • Instruction ID: ebc432bf6727a4ca1812344f66a83320bb141efcc760fce9e7303bb9e40580f2
                                                                                                                                                            • Opcode Fuzzy Hash: a665b9e86b172b0729f54b2211702d1aaccade168760a7eb2735be124fecb6f3
                                                                                                                                                            • Instruction Fuzzy Hash: ACB01289358202EE310471075D42D3F024CC8C1B12330EC1FB800C8143D8CE0D9A123F
                                                                                                                                                            Function 0045C202 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: cd81d97fcedfcf2712b42583f5201a32a180839cec26af0dd87100762b18b9a8
                                                                                                                                                            • Instruction ID: 7e1ac54618436fb94176475e0c08b43c0ab6e87c7b30f2ea5ed66bd004a58b81
                                                                                                                                                            • Opcode Fuzzy Hash: cd81d97fcedfcf2712b42583f5201a32a180839cec26af0dd87100762b18b9a8
                                                                                                                                                            • Instruction Fuzzy Hash: 87B09285258202EE31046106588293E0248C481B12330A81BB800C4143D88D0999163F
                                                                                                                                                            Function 0045C212 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: b9648cfd5c30c438de0380fc9888f8cde51316e5c9fcd8352115c9ac6b8f752b
                                                                                                                                                            • Instruction ID: 5ae945f4ad59b8406e2415235142c6596a0d8e7b20eb5fa50f480e08dfa953b3
                                                                                                                                                            • Opcode Fuzzy Hash: b9648cfd5c30c438de0380fc9888f8cde51316e5c9fcd8352115c9ac6b8f752b
                                                                                                                                                            • Instruction Fuzzy Hash: A8B01285358202EE310471075E42D3F020CC0C1B12330EC1FB800C8183E8CE0E5A023F
                                                                                                                                                            Function 0045C222 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: f21f6c47cbb7d5cb76d1fce2ae2d28336dd5e5a86bdd2e9af86b28f04bb1ee08
                                                                                                                                                            • Instruction ID: 44c3b0c8576c058c295ea00ea8fd89274d0371afd517a1cdf438baa00bb391a6
                                                                                                                                                            • Opcode Fuzzy Hash: f21f6c47cbb7d5cb76d1fce2ae2d28336dd5e5a86bdd2e9af86b28f04bb1ee08
                                                                                                                                                            • Instruction Fuzzy Hash: B4B01285359202EE310471075C42E3F020CC0C2B12330AC1FB800C5183D8CD0D59023F
                                                                                                                                                            Function 0045C236 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: aad4cff59cb14f9795d23a86e8e1e0a16508040eb0c6515cb6a65b78828b795e
                                                                                                                                                            • Instruction ID: 9ad9e162dd62094ffece53c836892ccf6ae369e9ee0b778b97f35ef043b741c5
                                                                                                                                                            • Opcode Fuzzy Hash: aad4cff59cb14f9795d23a86e8e1e0a16508040eb0c6515cb6a65b78828b795e
                                                                                                                                                            • Instruction Fuzzy Hash: A7B01285358202EE310471075D42E3F020CD0C2B12330AC1FB800C4183D8CD0D59023F
                                                                                                                                                            Function 0045C2C6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: cb2c31848864abae865dcfd7fe4d37699048203a7d0a02cc3d188d9f89070985
                                                                                                                                                            • Instruction ID: 8ef1a4c2736b9ca787306f5447ad851fd4677b8b6bf18d5bb56b749ba8362c0c
                                                                                                                                                            • Opcode Fuzzy Hash: cb2c31848864abae865dcfd7fe4d37699048203a7d0a02cc3d188d9f89070985
                                                                                                                                                            • Instruction Fuzzy Hash: 9FB09285258202EE32046106594293E0208C0C1B12330A91BB800C4183988D0999123F
                                                                                                                                                            Function 0045C2D6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: 68c01185bcbe2f322cea0d4f505abbddaacb1b585e8ef508c082c5a2e69999d5
                                                                                                                                                            • Instruction ID: 4375d7ff85f3b3960bd50ffb9aae2bf5d3fbd60a001160112542dc70f0dac66b
                                                                                                                                                            • Opcode Fuzzy Hash: 68c01185bcbe2f322cea0d4f505abbddaacb1b585e8ef508c082c5a2e69999d5
                                                                                                                                                            • Instruction Fuzzy Hash: CEB09285258212EE310461065C8293E0218C081B12330A81BB800C5143D88D095A123F
                                                                                                                                                            Function 0045C286 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: 42cbf1e646ca89e293bdd4e494fa51f8520b01ed6b96899e3ddfce368aa3658e
                                                                                                                                                            • Instruction ID: ca6cbe71a8e8588bfa863faece09d2763f8648fb111bc3f71b433f7118c81c6d
                                                                                                                                                            • Opcode Fuzzy Hash: 42cbf1e646ca89e293bdd4e494fa51f8520b01ed6b96899e3ddfce368aa3658e
                                                                                                                                                            • Instruction Fuzzy Hash: 22B01285359206EE310471075C42E3F024CC4C2B12330AC1FB800C4143D8CD0D99123F
                                                                                                                                                            Function 0045C296 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: 8e7759d0c9469670dde7c3cb81720c61e18d5c9cb7b1cc35796979f78cd1764e
                                                                                                                                                            • Instruction ID: b5098dcfdefd0774afacfa3cd1c472a1e00be504242a9bc16b11cbb8755a8ac9
                                                                                                                                                            • Opcode Fuzzy Hash: 8e7759d0c9469670dde7c3cb81720c61e18d5c9cb7b1cc35796979f78cd1764e
                                                                                                                                                            • Instruction Fuzzy Hash: 30B09285658202EE310471165882A3E0608C081B12330A82BB900C4143D88D0959023F
                                                                                                                                                            Function 0045C2A6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: b2bfa8bf02e5e76f2ea6d0e564bfc22410660873632cde1108a37c44a9ce35b3
                                                                                                                                                            • Instruction ID: 8e0d38774a7c01b8c59441675153058879ee53f0531456b505600525ca8c7082
                                                                                                                                                            • Opcode Fuzzy Hash: b2bfa8bf02e5e76f2ea6d0e564bfc22410660873632cde1108a37c44a9ce35b3
                                                                                                                                                            • Instruction Fuzzy Hash: 4BB01285358302EE320471175C42D3F0A0CC0C1B12330AD2FB900C4243D8CE0D9D123F
                                                                                                                                                            Function 0045C2B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C1E9
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: 8dbcd3d0004ba315a2a8f9bbd428319d209ca205ea59f11d1d6f4ff967012120
                                                                                                                                                            • Instruction ID: fd1d9909cdff0be3ba3fcd56c1c4d2b7c9b61550491dafcc4e0190ceac3a0cf6
                                                                                                                                                            • Opcode Fuzzy Hash: 8dbcd3d0004ba315a2a8f9bbd428319d209ca205ea59f11d1d6f4ff967012120
                                                                                                                                                            • Instruction Fuzzy Hash: 5EB01285368202EE310471175D82D3F060CC0C1B12330EC2FBA00C8143D8CE0D5E023F
                                                                                                                                                            Function 0045C331 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C343
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: 3318239709618911835be2ebb2868d48236da8c2f44e84be338eee82b327fef4
                                                                                                                                                            • Instruction ID: a7c2324d5d959607a41715e57cd6934b5996ce0fc15e2c1760b8b46aa5c8c206
                                                                                                                                                            • Opcode Fuzzy Hash: 3318239709618911835be2ebb2868d48236da8c2f44e84be338eee82b327fef4
                                                                                                                                                            • Instruction Fuzzy Hash: 64B09295258202AE71042206594283E0188C080B1A330EC1BBC00C804294CC180A013F
                                                                                                                                                            Function 0045C40C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C424
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: 92f93f0148044b97d735a0e0e511b03b6e3dd3537230db5c9055936a82a34d3d
                                                                                                                                                            • Instruction ID: fe7c1ccbb92bcca54542c8b271f01ee5ba15bd85e0aa848d24c765a81e3f7fbc
                                                                                                                                                            • Opcode Fuzzy Hash: 92f93f0148044b97d735a0e0e511b03b6e3dd3537230db5c9055936a82a34d3d
                                                                                                                                                            • Instruction Fuzzy Hash: 93B01285258212FE320431525C82C3F024CC0C1B12330EC2FBC00C4043D5CC1C09113F
                                                                                                                                                            Function 0045C42D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C424
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: 3c66c8232b89ce79e183b91a4605bd2e30041916c43fc4512011c3ff647ae804
                                                                                                                                                            • Instruction ID: b89c881e6b9e4d22336d991ce589151b0081baf21c08f86dfbd1dead10d945ad
                                                                                                                                                            • Opcode Fuzzy Hash: 3c66c8232b89ce79e183b91a4605bd2e30041916c43fc4512011c3ff647ae804
                                                                                                                                                            • Instruction Fuzzy Hash: D4B0128526A212EE3204718A9C42E3F020CC4C2B52330AC2FFC00C4142D4CC0C09123F
                                                                                                                                                            Function 0045C43D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0045C424
                                                                                                                                                              • Part of subcall function 0045C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0045C762
                                                                                                                                                              • Part of subcall function 0045C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0045C773
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                            • Opcode ID: 7770e2d6db4ae2840cf32e828e8e92df259fb22b309cd7f5990f9157efdc635c
                                                                                                                                                            • Instruction ID: 288b143fb2a0804ab22ffb02528d1c7201a9a6cc19abf9e2e05b007eae12f905
                                                                                                                                                            • Opcode Fuzzy Hash: 7770e2d6db4ae2840cf32e828e8e92df259fb22b309cd7f5990f9157efdc635c
                                                                                                                                                            • Instruction Fuzzy Hash: 4EB0128525A212EE3204714A9D42D3F020CC0C1B92330EC2FFC00CC142D4CC0C0A123F

                                                                                                                                                            Non-executed Functions

                                                                                                                                                            Function 0041469C Relevance: 255.2, APIs: 76, Strings: 69, Instructions: 1457stringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,00000002,000000FF,0046E414,000000FF,003F6C5C,003F6C78,003F6570,?,00000000,?), ref: 0041470C
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,log,000000FF), ref: 0041472F
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,xlog,000000FF), ref: 00414752
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,0046E458,000000FF), ref: 00414775
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,0046E45C,000000FF), ref: 00414798
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,help,000000FF), ref: 004147BB
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,0046E46C,000000FF), ref: 004147DE
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,quiet,000000FF), ref: 00414801
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,0046E47C,000000FF), ref: 00414824
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,silent,000000FF), ref: 00414847
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,passive,000000FF), ref: 0041486A
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,layout,000000FF), ref: 00414898
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,unsafeuninstall,000000FF), ref: 00414970
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,uninstall,000000FF), ref: 004149AE
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,repair,000000FF), ref: 004149EC
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,modify,000000FF), ref: 00414A2A
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,package,000000FF), ref: 00414A68
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,update,000000FF), ref: 00414A8B
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,noaupause,000000FF), ref: 00414AAE
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,keepaupaused,000000FF), ref: 00414AD9
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,disablesystemrestore,000000FF), ref: 00414B0E
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,originalsource,000000FF), ref: 00414B3C
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,parent,000000FF), ref: 00414B9D
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,parent:none,000000FF), ref: 00414BFE
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.log.append,000000FF), ref: 00414C51
                                                                                                                                                            • lstrlenW.KERNEL32(burn.log.mode,burn.log.mode,000000FF), ref: 00414C99
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00414CAB
                                                                                                                                                            • lstrlenW.KERNEL32(burn.log.mode), ref: 00414CBF
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.elevated,000000FF), ref: 00414D6C
                                                                                                                                                            • lstrlenW.KERNEL32(burn.clean.room), ref: 00414E5B
                                                                                                                                                            • lstrlenW.KERNEL32(burn.clean.room,burn.clean.room,00000000), ref: 00414E69
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00414E7B
                                                                                                                                                            • lstrlenW.KERNEL32(burn.clean.room), ref: 00414EFB
                                                                                                                                                            • lstrlenW.KERNEL32(burn.system.component), ref: 00414F7F
                                                                                                                                                            • lstrlenW.KERNEL32(burn.system.component,burn.system.component,00000000), ref: 00414F8D
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00414F9F
                                                                                                                                                            • lstrlenW.KERNEL32(burn.system.component), ref: 00414FAF
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.embedded,000000FF), ref: 00415024
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.detect,000000FF), ref: 004150BA
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.upgrade,000000FF), ref: 004150FD
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,burn.related.addon,000000FF), ref: 0041511D
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.dependent.addon,000000FF), ref: 00415141
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.patch,000000FF), ref: 00415164
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.dependent.patch,000000FF), ref: 00415187
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.update,000000FF), ref: 004151AA
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.chain.package,000000FF), ref: 004151D0
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.passthrough,000000FF), ref: 004151F6
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.runonce,000000FF), ref: 00415224
                                                                                                                                                            • lstrlenW.KERNEL32(burn.ignoredependencies), ref: 00415280
                                                                                                                                                            • lstrlenW.KERNEL32(burn.ignoredependencies,burn.ignoredependencies,00000000), ref: 0041528E
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 004152A0
                                                                                                                                                            • lstrlenW.KERNEL32(burn.ignoredependencies), ref: 004152B0
                                                                                                                                                            • lstrlenW.KERNEL32(burn.ancestors), ref: 00415325
                                                                                                                                                            • lstrlenW.KERNEL32(burn.ancestors,burn.ancestors,00000000), ref: 00415333
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00415345
                                                                                                                                                            • lstrlenW.KERNEL32(burn.ancestors), ref: 00415355
                                                                                                                                                            • lstrlenW.KERNEL32(burn.user.working.directory), ref: 004153CD
                                                                                                                                                            • lstrlenW.KERNEL32(burn.user.working.directory,burn.user.working.directory,00000000), ref: 004153DB
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 004153ED
                                                                                                                                                            • lstrlenW.KERNEL32(burn.user.working.directory), ref: 004153FD
                                                                                                                                                            • lstrlenW.KERNEL32(burn.filehandle.attached), ref: 00415468
                                                                                                                                                            • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000), ref: 00415476
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00415488
                                                                                                                                                            • lstrlenW.KERNEL32(burn.filehandle.attached), ref: 0041549C
                                                                                                                                                            • lstrlenW.KERNEL32(burn.filehandle.self), ref: 00415527
                                                                                                                                                            • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000), ref: 00415535
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00415547
                                                                                                                                                            • lstrlenW.KERNEL32(burn.filehandle.self), ref: 00415557
                                                                                                                                                            • lstrlenW.KERNEL32(burn.splash.screen), ref: 004155D0
                                                                                                                                                            • lstrlenW.KERNEL32(burn.splash.screen,burn.splash.screen,00000000), ref: 004155DE
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 004155F0
                                                                                                                                                            • lstrlenW.KERNEL32(burn.splash.screen), ref: 00415600
                                                                                                                                                            • lstrlenW.KERNEL32(burn.), ref: 0041567F
                                                                                                                                                            • lstrlenW.KERNEL32(burn.,burn.,00000000), ref: 0041568D
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 0041569F
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareString$lstrlen
                                                                                                                                                            • String ID: Clean room command-line switch must be first argument on command-line.$Failed to allocate the list of ancestors.$Failed to allocate the list of dependencies to ignore.$Failed to copy append log file path.$Failed to copy last used source.$Failed to copy log file path.$Failed to copy parent.$Failed to copy path for layout directory.$Failed to copy source process path.$Failed to ensure size for secret args.$Failed to ensure size for unknown args.$Failed to initialize parent to none.$Failed to parse elevated connection.$Failed to parse embedded connection.$Failed to parse file handle: '%ls'$Failed to parse splash screen window: '%ls'$Failed to store the custom working directory.$Invalid switch: %ls$Missing required parameter for switch: %ls$Multiple mode command-line switches were provided.$Must specify a path for append log.$Must specify a path for log.$Must specify a path for original source.$Must specify a value for parent.$Must specify the elevated name, token and parent process id.$Must specify the embedded name, token and parent process id.$burn.$burn.ancestors$burn.clean.room$burn.elevated$burn.embedded$burn.user.working.directory$burn.filehandle.attached$burn.filehandle.self$burn.ignoredependencies$burn.log.append$burn.log.mode$burn.passthrough$burn.related.addon$burn.related.chain.package$burn.related.dependent.addon$burn.related.dependent.patch$burn.related.detect$burn.related.patch$burn.related.update$burn.related.upgrade$burn.runonce$burn.splash.screen$burn.system.component$d:\a\wix4\wix4\src\burn\user\core.cpp$disablesystemrestore$help$keepaupaused$layout$log$modify$noaupause$originalsource$package$parent$parent:none$passive$quiet$repair$silent$uninstall$unsafeuninstall$update$xlog
                                                                                                                                                            • API String ID: 1657112622-943698074
                                                                                                                                                            • Opcode ID: ae0763e3939dc34f2acf83e3a641c0facdf09846a1881d396e4ff1be3cd6af1a
                                                                                                                                                            • Instruction ID: b21d44ee43d82319388cf899b5439d2def8792653cfe367c43027736b2d44ac1
                                                                                                                                                            • Opcode Fuzzy Hash: ae0763e3939dc34f2acf83e3a641c0facdf09846a1881d396e4ff1be3cd6af1a
                                                                                                                                                            • Instruction Fuzzy Hash: FAB22771680711FBEB209B44CC86FF772A5EB45B20F704616F565EF2C0E6B8E980CA59
                                                                                                                                                            Function 004018D8 Relevance: 179.7, APIs: 35, Strings: 67, Instructions: 1199COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 0040278C
                                                                                                                                                              • Part of subcall function 003F540B: GetProcessHeap.KERNEL32(?,?,?,0041DDCD,?,00000000), ref: 003F541C
                                                                                                                                                              • Part of subcall function 003F540B: RtlAllocateHeap.NTDLL(00000000,?,0041DDCD,?,00000000), ref: 003F5423
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,DirectorySearch,000000FF,00000000,Condition,003F7E53,00000000,Variable,003F7E4F,00000000,00461D1C,003F7E4B,003F7E4B), ref: 00401A63
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,00000000,exists,00000000,00000000,Type,00000000,00000000,Path,003F7E5F), ref: 00401AD2
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,00000000,path,00000000), ref: 00401AEF
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,FileSearch,000000FF), ref: 00401B15
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,00000000,exists,00000000,00000000,Type,00000000,00000000,DisableFileRedirection,003F7E63,00000000,Path,003F7E5F), ref: 00401BB3
                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 004022EE
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: String$Compare$FreeHeap$AllocateProcess
                                                                                                                                                            • String ID: ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch|ExtensionSearch|SetVariable$DisableFileRedirection$ExpandEnvironment$ExtensionId$ExtensionSearch$Failed to allocate memory for search structs.$Failed to find extension '%ls' for search '%ls'$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @ExtensionId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Value.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get DisableFileRedirection attribute.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$SetVariable$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$assignment$d:\a\wix4\wix4\src\burn\user\search.cpp$directory$exists$formatted$keyPath$language$numeric$path$state$string$value$version
                                                                                                                                                            • API String ID: 1229322287-2296787432
                                                                                                                                                            • Opcode ID: a51097360ad5f2e65f0c75f2c767483a8d865018f62f053dad903e06d6c21bf5
                                                                                                                                                            • Instruction ID: 8a11c22624f3714a65a84db517c6ab4ac0f3bfc66a4092f80a7add3aa5754f27
                                                                                                                                                            • Opcode Fuzzy Hash: a51097360ad5f2e65f0c75f2c767483a8d865018f62f053dad903e06d6c21bf5
                                                                                                                                                            • Instruction Fuzzy Hash: 41828831A80215BADB205A508D4EF6F7969DBC5B10F31003BFA14BB2D1E6BDDE01D66E
                                                                                                                                                            Function 003FF788 Relevance: 81.2, APIs: 2, Strings: 44, Instructions: 733COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                            • String ID: @Container is required for embedded payload.$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to add payload to container dictionary.$Failed to add payload to payloads dictionary.$Failed to allocate memory for layout payloads.$Failed to allocate memory for payload structs.$Failed to create dictionary for container payloads.$Failed to create dictionary for payloads.$Failed to find container: %ls$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$File size is required when verifying by hash for payload: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$There was no verification information for payload: %ls$d:\a\wix4\wix4\src\burn\user\payload.cpp$embedded$external$hhF
                                                                                                                                                            • API String ID: 1357844191-610143540
                                                                                                                                                            • Opcode ID: f4e81c8399c3272b8264f064265fe410625d25327230ee62924e530a18c489be
                                                                                                                                                            • Instruction ID: 391d457d0beebee991f0e76abae87621c85ffb0a4213d1f0fc0b6e9f9a49949e
                                                                                                                                                            • Opcode Fuzzy Hash: f4e81c8399c3272b8264f064265fe410625d25327230ee62924e530a18c489be
                                                                                                                                                            • Instruction Fuzzy Hash: 9E32F231680709BFDB129A51CC46F7F66699FC5B10F22407AFF04BB2C1E7B9E9418A19
                                                                                                                                                            Function 004224F7 Relevance: 77.3, APIs: 1, Strings: 50, Instructions: 825COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CloseHandle.KERNEL32(000000FF,00000000,?,?,?,?,?,00000000,00000000,?,003F6DA2,00000000,00000000,8000FFFF,?), ref: 00422EFE
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to format obfuscated argument string., xrefs: 00422CE5
                                                                                                                                                            • Failed to get command-line argument for uninstall., xrefs: 00422A95
                                                                                                                                                            • Failed to append argument from ARP., xrefs: 00422B68
                                                                                                                                                            • -%ls=ALL, xrefs: 00422BBA
                                                                                                                                                            • Pseudo ExePackages must have a fully qualified target path., xrefs: 0042264C
                                                                                                                                                            • -%ls, xrefs: 00422B87
                                                                                                                                                            • Failed to append the custom working directory to the exepackage command line., xrefs: 00422C3E
                                                                                                                                                            • Failed to get command-line argument for install., xrefs: 00422A0F
                                                                                                                                                            • burn.filehandle.self, xrefs: 00422C6D
                                                                                                                                                            • WixBundleExecutePackageAction, xrefs: 004228B1, 00422F1D
                                                                                                                                                            • Failed to evaluate executable package command-line condition., xrefs: 00422AC3
                                                                                                                                                            • WixBundleExecutePackageCacheFolder, xrefs: 00422899, 00422F0C
                                                                                                                                                            • Invalid Exe package action: %d., xrefs: 004228EF, 00422A7E
                                                                                                                                                            • QuietUninstallString is null., xrefs: 004226F5
                                                                                                                                                            • Failed to verify the QuietUninstallString executable path is in a secure location: %ls, xrefs: 004227C6
                                                                                                                                                            • install, xrefs: 0042258D, 00422592
                                                                                                                                                            • "%ls", xrefs: 00422AE0
                                                                                                                                                            • burn.related.chain.package, xrefs: 00422B7F
                                                                                                                                                            • Failed to copy package arguments., xrefs: 0042293D
                                                                                                                                                            • %ls %ls, xrefs: 00422D05
                                                                                                                                                            • burn.ignoredependencies, xrefs: 00422BB2
                                                                                                                                                            • Failed to run EXE process, xrefs: 00422E19
                                                                                                                                                            • -%ls=%ls, xrefs: 00422BF9
                                                                                                                                                            • Failed to append the relation type to the command line., xrefs: 00422B9B
                                                                                                                                                            • Failed to run exe with Burn protocol from path: %ls, xrefs: 00422DA3
                                                                                                                                                            • Failed to append %ls, xrefs: 00422C72
                                                                                                                                                            • uninstall, xrefs: 00422586
                                                                                                                                                            • Failed to get command-line argument for repair., xrefs: 004229E2
                                                                                                                                                            • QuietUninstallString must contain an executable path., xrefs: 00422758
                                                                                                                                                            • Failed to allocate base command., xrefs: 00422AF4
                                                                                                                                                            • The QuietUninstallString executable path is not in a secure location: %ls, xrefs: 004227F2
                                                                                                                                                            • Failed to separate command-line arguments., xrefs: 00422AAC
                                                                                                                                                            • Failed to append the list of ancestors to the command line., xrefs: 00422C0D
                                                                                                                                                            • Failed to get parent directory for pseudo-package: %ls, xrefs: 004226AC
                                                                                                                                                            • Failed to get parent directory for QuietUninstallString executable path: %ls, xrefs: 00422820
                                                                                                                                                            • -norestart, xrefs: 00422B3D
                                                                                                                                                            • Failed to allocate obfuscated exe command., xrefs: 00422D19
                                                                                                                                                            • Failed to run netfx chainer: %ls, xrefs: 00422DE0
                                                                                                                                                            • Process returned error: 0x%x, xrefs: 00422E64
                                                                                                                                                            • Failed to query ArpEntry for %hs., xrefs: 00422593
                                                                                                                                                            • Failed to append norestart argument., xrefs: 00422B51
                                                                                                                                                            • Failed to parse QuietUninstallString: %ls., xrefs: 00422723
                                                                                                                                                            • Failed to format argument string., xrefs: 00422CB6
                                                                                                                                                            • burn.ancestors, xrefs: 00422BF4
                                                                                                                                                            • .#v@1#v, xrefs: 00422EFE
                                                                                                                                                            • Failed to append the list of dependencies to ignore to the command line., xrefs: 00422BCE
                                                                                                                                                            • Failed to get cached path for package: %ls, xrefs: 0042284E
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\exeuser.cpp, xrefs: 004225A5, 00422641, 00422646, 0042265A, 0042268D, 004226E2, 004226ED, 00422745, 00422750, 00422798, 004227D8, 004228D6, 004228E1, 00422A65, 00422A70, 00422E55, 00422E5B, 00422E72
                                                                                                                                                            • Failed to build executable path., xrefs: 0042267B, 0042287A
                                                                                                                                                            • Failed to copy executable path., xrefs: 00422786
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                            • String ID: -%ls$ -%ls=%ls$ -%ls=ALL$ -norestart$"%ls"$%ls %ls$Failed to allocate base command.$Failed to allocate obfuscated exe command.$Failed to append %ls$Failed to append argument from ARP.$Failed to append norestart argument.$Failed to append the custom working directory to the exepackage command line.$Failed to append the list of ancestors to the command line.$Failed to append the list of dependencies to ignore to the command line.$Failed to append the relation type to the command line.$Failed to build executable path.$Failed to copy executable path.$Failed to copy package arguments.$Failed to evaluate executable package command-line condition.$Failed to format argument string.$Failed to format obfuscated argument string.$Failed to get cached path for package: %ls$Failed to get command-line argument for install.$Failed to get command-line argument for repair.$Failed to get command-line argument for uninstall.$Failed to get parent directory for QuietUninstallString executable path: %ls$Failed to get parent directory for pseudo-package: %ls$Failed to parse QuietUninstallString: %ls.$Failed to query ArpEntry for %hs.$Failed to run EXE process$Failed to run exe with Burn protocol from path: %ls$Failed to run netfx chainer: %ls$Failed to separate command-line arguments.$Failed to verify the QuietUninstallString executable path is in a secure location: %ls$Invalid Exe package action: %d.$Process returned error: 0x%x$Pseudo ExePackages must have a fully qualified target path.$QuietUninstallString is null.$QuietUninstallString must contain an executable path.$The QuietUninstallString executable path is not in a secure location: %ls$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$burn.ancestors$burn.filehandle.self$burn.ignoredependencies$burn.related.chain.package$d:\a\wix4\wix4\src\burn\user\exeuser.cpp$install$uninstall$.#v@1#v
                                                                                                                                                            • API String ID: 2962429428-1511095021
                                                                                                                                                            • Opcode ID: 3cc046ac3c7079589d3189b53a0cb22032c7df2428918d9944ede44be31c8ddf
                                                                                                                                                            • Instruction ID: aeccc3002d5e84fe2912785279ff2f57b5ae8e5d6a706fc8580cd2080db646c7
                                                                                                                                                            • Opcode Fuzzy Hash: 3cc046ac3c7079589d3189b53a0cb22032c7df2428918d9944ede44be31c8ddf
                                                                                                                                                            • Instruction Fuzzy Hash: 4E42E631B40229BBDF229E90DD46FEF7A74AB04B10F514113FA04BA2D0D7F99E509B99
                                                                                                                                                            Function 0044DA1F Relevance: 58.1, APIs: 21, Strings: 12, Instructions: 398COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0044DAB7
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044DAC1
                                                                                                                                                            • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 0044DB19
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044DB23
                                                                                                                                                            • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 0044DB71
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044DB7B
                                                                                                                                                            • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 0044DBCC
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044DBD6
                                                                                                                                                            • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 0044DC27
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044DC31
                                                                                                                                                            • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 0044DC82
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044DC8C
                                                                                                                                                            • SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 0044DD8E
                                                                                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 0044DDD9
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044DDE3
                                                                                                                                                            • SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 0044DE2C
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044DE36
                                                                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0044DE80
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044DE8A
                                                                                                                                                            • CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 0044DED9
                                                                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0044DF10
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
                                                                                                                                                            • String ID: Failed to create ACL for system restore.$Failed to create administrator SID for system restore.$Failed to create local service SID for system restore.$Failed to create local system SID for system restore.$Failed to create network service SID for system restore.$Failed to create self SID for system restore.$Failed to initialize COM security for system restore.$Failed to initialize security descriptor for system restore.$Failed to set DACL for system restore.$Failed to set administrators group access for system restore.$Failed to set administrators owner for system restore.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\srputil.cpp
                                                                                                                                                            • API String ID: 267631441-1154305825
                                                                                                                                                            • Opcode ID: 9400d9c2c5c17f202139d547e601b7cd623199e274053064808a8e43938ea86e
                                                                                                                                                            • Instruction ID: 1cddc148f5809325a60067e0055b077d0892d546cd9a452ff9f3e6bf8659a24b
                                                                                                                                                            • Opcode Fuzzy Hash: 9400d9c2c5c17f202139d547e601b7cd623199e274053064808a8e43938ea86e
                                                                                                                                                            • Instruction Fuzzy Hash: CBD18576D4123DABE7209F558C49FDFBABCAF44710F0145ABA908F7241D7B49E408BA8
                                                                                                                                                            Function 0040BB84 Relevance: 42.2, APIs: 11, Strings: 13, Instructions: 249pipeCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,003F6CF2,00000000), ref: 0040BBB4
                                                                                                                                                            • GetLastError.KERNEL32(003F73DE,00000000,003F6CF2,00000000,00000000,000000B0,?,?,003F6CF2,00000000,00000000), ref: 0040BBBD
                                                                                                                                                            • CreateNamedPipeW.KERNEL32(00000000,00080003,00000000,00000001,00010000,00010000,00000001,003F6CF2,003F73DE,00000000,003F6CF2,00000000,00000000,000000B0), ref: 0040BC7D
                                                                                                                                                            • GetLastError.KERNEL32(?,?,003F6CF2,00000000,00000000), ref: 0040BC8B
                                                                                                                                                            • CreateNamedPipeW.KERNEL32(00000000,00080003,00000000,00000001,00010000,00010000,00000001,00000000), ref: 0040BD32
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040BD3F
                                                                                                                                                            • CreateNamedPipeW.KERNEL32(00000000,00080003,00000000,00000001,00010000,00010000,00000001,00000000), ref: 0040BDCE
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040BDD9
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,d:\a\wix4\wix4\src\burn\user\pipe.cpp,0000012D,00000000), ref: 0040BE27
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,d:\a\wix4\wix4\src\burn\user\pipe.cpp,0000012D,00000000), ref: 0040BE31
                                                                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0040BE5F
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$CreateNamedPipe$CloseDescriptorHandleSecurity$ConvertFreeLocalString
                                                                                                                                                            • String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of logging pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create cache pipe: %ls$Failed to create logging pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$\\.\pipe\%ls.Log$d:\a\wix4\wix4\src\burn\user\pipe.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 2306725211-1348302956
                                                                                                                                                            • Opcode ID: 770ad8cf874929ead148f22c26ec671e3bb05db278fa619d2b9599a090e963d8
                                                                                                                                                            • Instruction ID: f5d6ee998c2a839796e823f6d65bb5c77397f5510e27c6a3d08d14bda67646f8
                                                                                                                                                            • Opcode Fuzzy Hash: 770ad8cf874929ead148f22c26ec671e3bb05db278fa619d2b9599a090e963d8
                                                                                                                                                            • Instruction Fuzzy Hash: B771A971E80229B7EB115A958C46FEFBA68DF04B11F110526FE04BA2D1E3B89D409ADD
                                                                                                                                                            Function 0044A2D0 Relevance: 37.0, APIs: 14, Strings: 7, Instructions: 207encryptionfileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,?,F0000040,?,?,?,?,?,?), ref: 0044A335
                                                                                                                                                            • GetLastError.KERNEL32(?,?), ref: 0044A33F
                                                                                                                                                            • CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?,?,?), ref: 0044A38D
                                                                                                                                                            • GetLastError.KERNEL32(?,?), ref: 0044A397
                                                                                                                                                            • CryptHashData.ADVAPI32(?,?,?,00000000,?,?), ref: 0044A3F2
                                                                                                                                                            • ReadFile.KERNEL32(?,?,00001000,?,00000000,?,?), ref: 0044A416
                                                                                                                                                            • GetLastError.KERNEL32(?,?), ref: 0044A420
                                                                                                                                                            • CryptDestroyHash.ADVAPI32(00000000), ref: 0044A473
                                                                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0044A48A
                                                                                                                                                            • GetLastError.KERNEL32(?,?), ref: 0044A4A3
                                                                                                                                                            • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,?), ref: 0044A4EF
                                                                                                                                                            • GetLastError.KERNEL32(?,?), ref: 0044A4F9
                                                                                                                                                            • SetFilePointerEx.KERNEL32(?,00000000,00000000,0000800E,00000001,?,?), ref: 0044A543
                                                                                                                                                            • GetLastError.KERNEL32(?,?), ref: 0044A551
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
                                                                                                                                                            • String ID: Failed to acquire crypto context.$Failed to get file pointer.$Failed to get hash value.$Failed to hash data block.$Failed to initiate hash.$Failed to read data block.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\cryputil.cpp
                                                                                                                                                            • API String ID: 3955742341-696376830
                                                                                                                                                            • Opcode ID: 021ec81a1165dc92353c140902d486abddccce97cbfc94d614ef76d948043f49
                                                                                                                                                            • Instruction ID: a362e15f2714c152a37c7e55c8ff0856e5d6a381b58f04ccb43f126eed652743
                                                                                                                                                            • Opcode Fuzzy Hash: 021ec81a1165dc92353c140902d486abddccce97cbfc94d614ef76d948043f49
                                                                                                                                                            • Instruction Fuzzy Hash: B7610B36D40235BBF7315A558C49BEF766CAB08B51F014067BE48F7281E3BC8D508BA9
                                                                                                                                                            Function 0044B884 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 128COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0044B8BC
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0044B8C6
                                                                                                                                                            • OpenProcessToken.ADVAPI32(?,00000020,?), ref: 0044B91A
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0044B924
                                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(00000000,00000000,00000001,00000010,00000000,00000000), ref: 0044B976
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0044B980
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0044B9C4
                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0044B9DD
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$Token$AdjustCloseHandleLookupOpenPrivilegePrivilegesProcessValue
                                                                                                                                                            • String ID: Failed to adjust token to add privilege: %ls$Failed to get privilege LUID: %ls$Failed to get process token to adjust privileges.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 1766547789-3851495997
                                                                                                                                                            • Opcode ID: 907185b2076a922b680e7000de997c80a9f8f1051f07a1a0d846f3a401d1978b
                                                                                                                                                            • Instruction ID: 277ab1a4c660cc5e15f8073f5c0a03a4368cfa60fe79d21f607b63bf1faa20dc
                                                                                                                                                            • Opcode Fuzzy Hash: 907185b2076a922b680e7000de997c80a9f8f1051f07a1a0d846f3a401d1978b
                                                                                                                                                            • Instruction Fuzzy Hash: B341B472D0122977F7205B569C4AFBFAA6CEB05B55F014527FE04BB281E368CD0187E4
                                                                                                                                                            Function 0045699C Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 116COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FindResourceExA.KERNEL32(?,0000000A,?,00000000), ref: 004569AD
                                                                                                                                                            • GetLastError.KERNEL32(?,0041D16B,?,00000001,?,?), ref: 004569B9
                                                                                                                                                            • LoadResource.KERNEL32(?,00000000,?,0041D16B,?,00000001,?,?), ref: 00456A06
                                                                                                                                                            • GetLastError.KERNEL32(?,0041D16B,?,00000001,?,?), ref: 00456A12
                                                                                                                                                            • SizeofResource.KERNEL32(?,00000000,?,0041D16B,?,00000001,?,?), ref: 00456A4D
                                                                                                                                                            • GetLastError.KERNEL32(?,0041D16B,?,00000001,?,?), ref: 00456A59
                                                                                                                                                            • LockResource.KERNEL32(00000000,?,0041D16B,?,00000001,?,?), ref: 00456A94
                                                                                                                                                            • GetLastError.KERNEL32(?,0041D16B,?,00000001,?,?), ref: 00456AA5
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastResource$FindLoadLockSizeof
                                                                                                                                                            • String ID: Failed to find resource.$Failed to get size of resource.$Failed to load resource.$Failed to lock data resource.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\resrutil.cpp
                                                                                                                                                            • API String ID: 2627587518-3856033167
                                                                                                                                                            • Opcode ID: d02ae6109d74a2ea9f78a4cf2be89fadc2f56b5b2baffdcffedc5ba4228c63aa
                                                                                                                                                            • Instruction ID: d5dface0d0c93b0cd35a0bb92c14b663b6b303d94946163be3a7ddc8ffdd6fcd
                                                                                                                                                            • Opcode Fuzzy Hash: d02ae6109d74a2ea9f78a4cf2be89fadc2f56b5b2baffdcffedc5ba4228c63aa
                                                                                                                                                            • Instruction Fuzzy Hash: AE3107B794123677E32216559C49B2F79689B46762F03842BFD05FB382E63CCC0086E9
                                                                                                                                                            Function 0040EA4B Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 222COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\cache.cpp, xrefs: 0040EA91, 0040EAEA, 0040EC97, 0040ECBB
                                                                                                                                                            • Failed to reset permissions on unverified cached payload: %ls, xrefs: 0040EBBC
                                                                                                                                                            • Aborted transferring working path to unverified path for payload: %ls., xrefs: 0040EB92
                                                                                                                                                            • Failed to create unverified path., xrefs: 0040EAD8
                                                                                                                                                            • moving, xrefs: 0040EC25, 0040EC32
                                                                                                                                                            • Failed to move verified file to complete payload path: %ls, xrefs: 0040EC6A
                                                                                                                                                            • Failed to get cached path for package with cache id: %ls, xrefs: 0040EA7F
                                                                                                                                                            • copying, xrefs: 0040EC2C
                                                                                                                                                            • Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 0040ECA9
                                                                                                                                                            • Failed to transfer working path to unverified path for payload: %ls., xrefs: 0040EB31
                                                                                                                                                            • Failed to verify payload: %ls at path: %ls, xrefs: 0040EC0A
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: Aborted transferring working path to unverified path for payload: %ls.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$Failed to verify payload: %ls at path: %ls$copying$d:\a\wix4\wix4\src\burn\user\cache.cpp$moving
                                                                                                                                                            • API String ID: 0-1123430254
                                                                                                                                                            • Opcode ID: 9db3699df4d2d247803673efcc5beb2affcc99e3d773734644a9a4c5bf8037ec
                                                                                                                                                            • Instruction ID: 7c6461291b1d251c9194390b84e60893eaa0026f4380d2857a2b2b6ffb67c06a
                                                                                                                                                            • Opcode Fuzzy Hash: 9db3699df4d2d247803673efcc5beb2affcc99e3d773734644a9a4c5bf8037ec
                                                                                                                                                            • Instruction Fuzzy Hash: F8719632680219BBEF235E81CC06FDE7E25AF08754F150512FB04791D1E7BAD970AB99
                                                                                                                                                            Function 0040DB8F Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 199fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000), ref: 0040DBAC
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040DBBF
                                                                                                                                                            • DecryptFileW.ADVAPI32(?,00000000), ref: 0040DD92
                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040DDA1
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: File$CloseCreateDecryptErrorHandleLast
                                                                                                                                                            • String ID: Failed to open payload at path: %ls$Failed to verify file size for path: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$Payload has no verification information: %ls$d:\a\wix4\wix4\src\burn\user\cache.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 3262865546-733500968
                                                                                                                                                            • Opcode ID: 861d1c6775191ff94d1a8b875ac55f1647f319cacb76e2a6582ee2c693abdf56
                                                                                                                                                            • Instruction ID: c6608c23247da46c1b4c8a4142df55a69931af4d69e6d3fa785f147906d899d7
                                                                                                                                                            • Opcode Fuzzy Hash: 861d1c6775191ff94d1a8b875ac55f1647f319cacb76e2a6582ee2c693abdf56
                                                                                                                                                            • Instruction Fuzzy Hash: 4551E831E80715BAEB225EE48C4AFAB7A29EF04750F100226FA05751D0E3BD9C64DAD9
                                                                                                                                                            Function 0040DA0E Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 126fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000), ref: 0040DA2B
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040DA3E
                                                                                                                                                            • DecryptFileW.ADVAPI32(?,00000000), ref: 0040DB3F
                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000001,?,00000000,?,?,?,?), ref: 0040DB4E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: File$CloseCreateDecryptErrorHandleLast
                                                                                                                                                            • String ID: Container has no verification information: %ls$Failed to open container at path: %ls$Failed to verify hash of container: %ls$d:\a\wix4\wix4\src\burn\user\cache.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 3262865546-1626691124
                                                                                                                                                            • Opcode ID: b97e87c59dfeb40fe11b5d8f205c7de1fe1c61656f3f2314d705efbd82adeb69
                                                                                                                                                            • Instruction ID: 59e3df2a5559d6a40bb1f1765c835659b4cbcc680f1cc09fb149959e99fa0466
                                                                                                                                                            • Opcode Fuzzy Hash: b97e87c59dfeb40fe11b5d8f205c7de1fe1c61656f3f2314d705efbd82adeb69
                                                                                                                                                            • Instruction Fuzzy Hash: CF312B31E80715B7E7325AD88C4AF6F7624AF04750F210126FB047A1D1E3BCA964C9D9
                                                                                                                                                            Function 003F94F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 138COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variable.cpp, xrefs: 003F9662
                                                                                                                                                            • Failed to set variant value., xrefs: 003F9650
                                                                                                                                                            • Failed to get OS info., xrefs: 003F9544
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                            • String ID: Failed to get OS info.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 3664257935-2618661516
                                                                                                                                                            • Opcode ID: 5035f36416feb02b60d392c558f1b8de7f82649dedb6a0ded9c5187501b5a8d9
                                                                                                                                                            • Instruction ID: e7097b6a812efeb76d41a4aad357f8f6ea9b3ccacf7c6c5bdefb176bfcfb60ac
                                                                                                                                                            • Opcode Fuzzy Hash: 5035f36416feb02b60d392c558f1b8de7f82649dedb6a0ded9c5187501b5a8d9
                                                                                                                                                            • Instruction Fuzzy Hash: 5A41B6B1E4021CBBDB228B69CC49FFE7BBCEB49714F00059AF249EA151D674DA40CB94
                                                                                                                                                            Function 0042EC05 Relevance: 13.0, Strings: 10, Instructions: 543COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: BA aborted cache acquire begin.$BA aborted cache acquire resolving.$Failed to compare '%ls' to '%ls'.$Failed to copy payload: %ls$Failed to determine if payload paths were equivalent, source: %ls, destination: %ls.$Failed to download payload: %ls$Failed to extract container for payload: %ls$Failed to resolve source, payload: %ls, package: %ls, container: %ls$Failed to search local source.$d:\a\wix4\wix4\src\burn\user\apply.cpp
                                                                                                                                                            • API String ID: 0-1652660176
                                                                                                                                                            • Opcode ID: c71c1b59e4cc294c2ff3e8555544fcbbdc6791f9ede61001dff9d5b3ab2cdd98
                                                                                                                                                            • Instruction ID: b868fd3c5aaf8958fb2277ae1a78d339885e37034af617d184d14b49032be1bd
                                                                                                                                                            • Opcode Fuzzy Hash: c71c1b59e4cc294c2ff3e8555544fcbbdc6791f9ede61001dff9d5b3ab2cdd98
                                                                                                                                                            • Instruction Fuzzy Hash: D6228B31F00229EFCB15CF9AD980AAEBBB1FF48300F95416AE904AB350D775AD51DB58
                                                                                                                                                            Function 004442FB Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: __floor_pentium4
                                                                                                                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                            • API String ID: 4168288129-2761157908
                                                                                                                                                            • Opcode ID: ac396b68e7b2df8924f27a91d0db012c979b68487dd21612ff5a8b444c54d8af
                                                                                                                                                            • Instruction ID: b20f3c1146df37c640ea6f104e3f238577e9a97b32d46740dae12a5dad460f42
                                                                                                                                                            • Opcode Fuzzy Hash: ac396b68e7b2df8924f27a91d0db012c979b68487dd21612ff5a8b444c54d8af
                                                                                                                                                            • Instruction Fuzzy Hash: C8D23871E086288FEF65CE28DD407EAB7B5EB84305F1441EAD40DE7241EB78AE858F45
                                                                                                                                                            Function 0040E72A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,*.*,?,?,?,.unverified,?), ref: 0040E7D8
                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010,?,?,*.*,?,?,?,.unverified,?), ref: 0040E871
                                                                                                                                                            • FindClose.KERNEL32(00000000,?,?,*.*,?,?,?,.unverified,?), ref: 0040E880
                                                                                                                                                              • Part of subcall function 003F5C81: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00000000,00000001), ref: 003F5CE9
                                                                                                                                                              • Part of subcall function 003F5C81: GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 003F5CF4
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileFind$AttributesCloseErrorFirstLastNext
                                                                                                                                                            • String ID: *.*$.unverified
                                                                                                                                                            • API String ID: 3458812364-2528915496
                                                                                                                                                            • Opcode ID: 3fdf44229d2e2cde8f918b719172f97c9710fcfd8457f38ea6ad6cb16ff4a8a9
                                                                                                                                                            • Instruction ID: 92605f8c1d479e3200adb78033a51eac3a4223adddf2a859393ffb45cf8c6d0f
                                                                                                                                                            • Opcode Fuzzy Hash: 3fdf44229d2e2cde8f918b719172f97c9710fcfd8457f38ea6ad6cb16ff4a8a9
                                                                                                                                                            • Instruction Fuzzy Hash: 8341C47190022CAADB20BB62CD49BEE7778AF44705F1044B6FA08F61D1D7789E94CF58
                                                                                                                                                            Function 003F9360 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastNameUser
                                                                                                                                                            • String ID: Failed to get the user name.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 2054405381-561454448
                                                                                                                                                            • Opcode ID: a57b5d5deef055bd6b864c52f3bf31f6999da98827bf89ca215d91bdcb905e8a
                                                                                                                                                            • Instruction ID: ca12a0bff48162926a97dc1d04f330f4ea2556386df07ed3884b28877412ae0e
                                                                                                                                                            • Opcode Fuzzy Hash: a57b5d5deef055bd6b864c52f3bf31f6999da98827bf89ca215d91bdcb905e8a
                                                                                                                                                            • Instruction Fuzzy Hash: 0B110872E4032C76E722AA569C46FBF736C9B00B54F114167FA04FB2C1E6A4DD4486E5
                                                                                                                                                            Function 004114C4 Relevance: 7.8, Strings: 6, Instructions: 315COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to check if "ALL" was set in IGNOREDEPENDENCIES., xrefs: 004115A3
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\dependency.cpp, xrefs: 0041156F, 0041187F
                                                                                                                                                            • Failed to add the package provider key "%ls" to the planned list., xrefs: 0041186D
                                                                                                                                                            • Failed to check the dictionary of ignored dependents., xrefs: 00411711
                                                                                                                                                            • Failed to build the list of ignored dependents., xrefs: 0041155D
                                                                                                                                                            • ALL, xrefs: 00411581
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: ALL$Failed to add the package provider key "%ls" to the planned list.$Failed to build the list of ignored dependents.$Failed to check if "ALL" was set in IGNOREDEPENDENCIES.$Failed to check the dictionary of ignored dependents.$d:\a\wix4\wix4\src\burn\user\dependency.cpp
                                                                                                                                                            • API String ID: 0-71972248
                                                                                                                                                            • Opcode ID: 5818cbbe60ef42a992eb87cd41e18592144e8f340a1a0ae640e720ed896b496a
                                                                                                                                                            • Instruction ID: bcb0b7562aa772e608bc5a9a7d4bd4c3a57c4afe61daac67087096093579004d
                                                                                                                                                            • Opcode Fuzzy Hash: 5818cbbe60ef42a992eb87cd41e18592144e8f340a1a0ae640e720ed896b496a
                                                                                                                                                            • Instruction Fuzzy Hash: 3EC1A970900604DFEB20DF61C885FEAB7F1BF94315F20852FD61A672A1D7789982CB19
                                                                                                                                                            Function 0045BA41 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76timeCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,0000000C), ref: 0045BA96
                                                                                                                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(?,0000000C,?), ref: 0045BAA8
                                                                                                                                                            Strings
                                                                                                                                                            • %04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 0045BA7F
                                                                                                                                                            • %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 0045BAF3
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Time$InformationLocalSpecificSystemZone
                                                                                                                                                            • String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ
                                                                                                                                                            • API String ID: 1772835396-395410266
                                                                                                                                                            • Opcode ID: c36e030fca7c8d628e4e601ef7266f3b07c38820b66b925a9ee3fa35e64e0fa1
                                                                                                                                                            • Instruction ID: 17747ea8c5811cbbd59359a2973672ac177b748e28a15d676d59061b6b93cf6a
                                                                                                                                                            • Opcode Fuzzy Hash: c36e030fca7c8d628e4e601ef7266f3b07c38820b66b925a9ee3fa35e64e0fa1
                                                                                                                                                            • Instruction Fuzzy Hash: 7921FAA2900118EADB24DBA98C05EBFB3FCEB4C711F00445AF945D6180E738EE80D774
                                                                                                                                                            Function 004298F9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00429898,00000000,00000003), ref: 00429910
                                                                                                                                                            • GetLastError.KERNEL32(?,00429898,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,00429D0A,?), ref: 0042991A
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ChangeConfigErrorLastService
                                                                                                                                                            • String ID: Failed to set service start type.$d:\a\wix4\wix4\src\burn\user\msuuser.cpp
                                                                                                                                                            • API String ID: 1456623077-1893245463
                                                                                                                                                            • Opcode ID: 21e1d04ba4c8196553a32a884c258e25609843ba12cbe1c59745c58e48e9d07a
                                                                                                                                                            • Instruction ID: 6cb47e5a638f385c4cd092d6c2eca06c86575e2c2cd4708eeb68761957a51b5f
                                                                                                                                                            • Opcode Fuzzy Hash: 21e1d04ba4c8196553a32a884c258e25609843ba12cbe1c59745c58e48e9d07a
                                                                                                                                                            • Instruction Fuzzy Hash: 96F0BB73A4123933D62125466C49FABBE1CDB42BB1F524226BE5CBA3D1D5158C0046F8
                                                                                                                                                            Function 0045C535 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0045C546
                                                                                                                                                            • GetSystemInfo.KERNEL32(?), ref: 0045C561
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InfoQuerySystemVirtual
                                                                                                                                                            • String ID: D
                                                                                                                                                            • API String ID: 401686933-2746444292
                                                                                                                                                            • Opcode ID: 8e8eeb44b0574ded6bdb3af2fc16466493f93e59a2b98de1fafc491db33f7a9e
                                                                                                                                                            • Instruction ID: 80d77a862379f68aa8f66469b30f33623b94fcd0a8eb6ec6f0cf561d541aebcc
                                                                                                                                                            • Opcode Fuzzy Hash: 8e8eeb44b0574ded6bdb3af2fc16466493f93e59a2b98de1fafc491db33f7a9e
                                                                                                                                                            • Instruction Fuzzy Hash: 2D014732A002186FCB14DE69CC04BDE3BA9AFC4325F0CC121ED19D7241F638EA05C684
                                                                                                                                                            Function 0043D3EE Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0043D4E6
                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0043D4F0
                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0043D4FD
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3906539128-0
                                                                                                                                                            • Opcode ID: 40078abbdbbd4b4fb5bbbac5f191ae0f5523981767864520f22621de8bc78433
                                                                                                                                                            • Instruction ID: 47c245b9518a98b71b547123629f7762de37a39e95e1d38cd669baea2cf25c80
                                                                                                                                                            • Opcode Fuzzy Hash: 40078abbdbbd4b4fb5bbbac5f191ae0f5523981767864520f22621de8bc78433
                                                                                                                                                            • Instruction Fuzzy Hash: 8431D67490121CABCB21DF25D888B8DBBB4BF1C314F5051EAE41CA6251E7749B858F48
                                                                                                                                                            Function 00449398 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,feclient.dll,?,00000008,?,?,00449393,0045E878,?,00000008,?,?,00448F96,00000000), ref: 004495C5
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionRaise
                                                                                                                                                            • String ID: feclient.dll
                                                                                                                                                            • API String ID: 3997070919-3074931424
                                                                                                                                                            • Opcode ID: 44511ad750f4000684a7d7d75fb5ba4516562e6f943ed21f58d3f2ea730471c2
                                                                                                                                                            • Instruction ID: 4cb0e81e720b25683d099c139eae243d426eb144606c7811c4bede83763c70ca
                                                                                                                                                            • Opcode Fuzzy Hash: 44511ad750f4000684a7d7d75fb5ba4516562e6f943ed21f58d3f2ea730471c2
                                                                                                                                                            • Instruction Fuzzy Hash: FBB16F321106099FE715CF28C48AB667BE0FF45364F258659E89ACF3A1C339DD92DB44
                                                                                                                                                            Function 0044B493 Relevance: 3.1, APIs: 2, Instructions: 57memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 0044B523: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,?,?,?,00000000,?,?,?,0044B4C2,?), ref: 0044B5EF
                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044B4E6
                                                                                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0044B4F7
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocateCheckCloseInitializeMembershipToken
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2114926846-0
                                                                                                                                                            • Opcode ID: 4964b9c42fd1465f83e74e2469454f3df1b3dc57bb22346072d0500cdd5fc8f2
                                                                                                                                                            • Instruction ID: bf58b49b36198caebc2839f91623c779f68f8e3e9d46c9d973c72b81f9e05318
                                                                                                                                                            • Opcode Fuzzy Hash: 4964b9c42fd1465f83e74e2469454f3df1b3dc57bb22346072d0500cdd5fc8f2
                                                                                                                                                            • Instruction Fuzzy Hash: 5911007190021AABEF10DFA5DC85BAFF7F8FF08308F50482EA545A6141D774DA44CBA9
                                                                                                                                                            Function 0045343B Relevance: 3.0, APIs: 2, Instructions: 43fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FindFirstFileW.KERNEL32(003F6DEA,?,003F6DEA,003F6DEA,00000000), ref: 00453476
                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00453482
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2295610775-0
                                                                                                                                                            • Opcode ID: 3a8c996a54b051a3a46cefa5f49f35c68a230fbb27c30086710d9d337eb68a24
                                                                                                                                                            • Instruction ID: 7274f37fa82d70432388e37aacf08f84600536e165743e5392c860fd2ff3faf6
                                                                                                                                                            • Opcode Fuzzy Hash: 3a8c996a54b051a3a46cefa5f49f35c68a230fbb27c30086710d9d337eb68a24
                                                                                                                                                            • Instruction Fuzzy Hash: DB01DB7260020867DB10EF6ADD89D5BB7ACDBC531AF000166F804D3241D7349E4D8758
                                                                                                                                                            Function 00437255 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0043726B
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FeaturePresentProcessor
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2325560087-0
                                                                                                                                                            • Opcode ID: e56ec948f033177e046056928bafcd12b64c3ae172180ce1b8d6c35f4afafe74
                                                                                                                                                            • Instruction ID: 0b71793ec1092b0c5c204ac013704990bb18d2bac872bc3b16ee75bd07f05eb6
                                                                                                                                                            • Opcode Fuzzy Hash: e56ec948f033177e046056928bafcd12b64c3ae172180ce1b8d6c35f4afafe74
                                                                                                                                                            • Instruction Fuzzy Hash: 55514EB1A14205CBDB25CF59E8C17AEBBF0FB48354F24986AD955EB350D378A900CF68
                                                                                                                                                            Function 0043C80C Relevance: 1.6, Strings: 1, Instructions: 385COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 0
                                                                                                                                                            • API String ID: 0-4108050209
                                                                                                                                                            • Opcode ID: d36c621400ddcf8d3f89a5153072d77eca4fc9bbaf8de3da59d4acb53c58b15b
                                                                                                                                                            • Instruction ID: 509f49f300a192c32ccd0020bcb06fa7cd6332833af86e1f40102a4c161702fa
                                                                                                                                                            • Opcode Fuzzy Hash: d36c621400ddcf8d3f89a5153072d77eca4fc9bbaf8de3da59d4acb53c58b15b
                                                                                                                                                            • Instruction Fuzzy Hash: 56D1CC70A0060A8FCB28EF68C5C166AF7B1FF4C314F24661ED556AB391D338AD42CB59
                                                                                                                                                            Function 00441290 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 8fccf37a3f3ce35eeb979ed3a2f85c7f1d659ee0c5144916a36b9029c1be4852
                                                                                                                                                            • Instruction ID: 2775dda517131a3aa2380ab1af5a7b53b94ef79d2d22ada5cae7ade31a9ef3e3
                                                                                                                                                            • Opcode Fuzzy Hash: 8fccf37a3f3ce35eeb979ed3a2f85c7f1d659ee0c5144916a36b9029c1be4852
                                                                                                                                                            • Instruction Fuzzy Hash: 1B31D772900219AFEB20DFA9CCC5DBB776DEB84354F14419AF905D7254EA34DD808B58
                                                                                                                                                            Function 00437142 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00047150,004368C5), ref: 00437147
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                            • Opcode ID: c038d612d6fe98373d07a0d40836788c06823b0423f8a1ea583018b012a5b247
                                                                                                                                                            • Instruction ID: 3a9ae858ce135b309cc3a90e9d43371d7882504089d74f0803c084b801a624a5
                                                                                                                                                            • Opcode Fuzzy Hash: c038d612d6fe98373d07a0d40836788c06823b0423f8a1ea583018b012a5b247
                                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                                            Function 0042DAA4 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 31c81ea08619909c6322d62b5e957f97260132f134e6dfb16b0fb80343a7b8f4
                                                                                                                                                            • Instruction ID: 947f799c79e367be3fa5a99315a8ab32b13ff9850e183c0dcad3ee57293ba3b9
                                                                                                                                                            • Opcode Fuzzy Hash: 31c81ea08619909c6322d62b5e957f97260132f134e6dfb16b0fb80343a7b8f4
                                                                                                                                                            • Instruction Fuzzy Hash: 96B14770A00B15ABCB24EF76E985B9BB7E5BF04305F55482EE56A97301C778F880CB58
                                                                                                                                                            Function 0042940D Relevance: .1, Instructions: 148COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: f45917a54f30991107f6fb82b6191d13c0f43520db1c78e611fe930a6d6763fd
                                                                                                                                                            • Instruction ID: c50f2ea908bd80ecb600df2891fbdd8cb29e3d8de07bc9161a4d44cb433aa32a
                                                                                                                                                            • Opcode Fuzzy Hash: f45917a54f30991107f6fb82b6191d13c0f43520db1c78e611fe930a6d6763fd
                                                                                                                                                            • Instruction Fuzzy Hash: C841E333758220AADF2EED39A5696372691FB81304FA4813FC507C2759D539DD83CA0C
                                                                                                                                                            Function 004597FB Relevance: 79.2, APIs: 11, Strings: 34, Instructions: 471COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,0047EC58,000000FF,?,?,?), ref: 00459914
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 00459956
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 0045999B
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 004599E0
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 00459A25
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 00459A6A
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 00459AA7
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 00459AE4
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,link,000000FF), ref: 00459B3E
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 00459B88
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 00459D3A
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: String$Compare$Free
                                                                                                                                                            • String ID: Cannot have two content elements in ATOM entry.$Failed to allocate ATOM entry authors.$Failed to allocate ATOM entry categories.$Failed to allocate ATOM entry content.$Failed to allocate ATOM entry id.$Failed to allocate ATOM entry links.$Failed to allocate ATOM entry published.$Failed to allocate ATOM entry summary.$Failed to allocate ATOM entry title.$Failed to allocate ATOM entry updated.$Failed to find required feed/entry/id element.$Failed to find required feed/entry/title element.$Failed to find required feed/entry/updated element.$Failed to get child nodes of ATOM entry element.$Failed to parse ATOM entry author.$Failed to parse ATOM entry category.$Failed to parse ATOM entry content.$Failed to parse ATOM entry link.$Failed to parse unknown ATOM entry element: %ls$Failed to process all ATOM entry elements.$author$cabinet.dll$category$clbcatq.dll$content$crypt32.dll$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$link$msi.dll$published$summary$title$updated$version.dll
                                                                                                                                                            • API String ID: 318886736-3340435141
                                                                                                                                                            • Opcode ID: 6666dca262c47cd0b8ee45d7fb249a4f91f5b87beee84ca2c0f2b3e5e4c1e9c1
                                                                                                                                                            • Instruction ID: 9dfc27cc9515d3fbf52d22d2f6289de8f551170638edc0a1a6f783f6f65dedfb
                                                                                                                                                            • Opcode Fuzzy Hash: 6666dca262c47cd0b8ee45d7fb249a4f91f5b87beee84ca2c0f2b3e5e4c1e9c1
                                                                                                                                                            • Instruction Fuzzy Hash: 9DE10631684305FBEB11AB508C46F6F3665DB41B26F31025BFB20BA2D2DAB8DE05875C
                                                                                                                                                            Function 00423672 Relevance: 75.7, APIs: 6, Strings: 37, Instructions: 484COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004501DE: VariantInit.OLEAUT32(?), ref: 004501F5
                                                                                                                                                              • Part of subcall function 004501DE: VariantClear.OLEAUT32(?), ref: 00450340
                                                                                                                                                              • Part of subcall function 004501DE: SysFreeString.OLEAUT32(00000000), ref: 0045034B
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,00000000,condition,00000000,?,DetectionType,?,00000000,?,00000000,00000002,?,00406624,00000000), ref: 004236DB
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,00000000,arp,00000000,?,00406624,00000000,?), ref: 004237DB
                                                                                                                                                              • Part of subcall function 004501DE: SysAllocString.OLEAUT32(?), ref: 0045022F
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: String$CompareVariant$AllocClearFreeInit
                                                                                                                                                            • String ID: ArpDisplayVersion$ArpId$ArpWin64$Bundle$DetectCondition$DetectionType$Failed to build full key path.$Failed to get @ArpDisplayVersion.$Failed to get @ArpId.$Failed to get @ArpWin64.$Failed to get @Bundle.$Failed to get @DetectCondition.$Failed to get @DetectionType.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to get @Uninstallable.$Failed to parse @ArpDisplayVersion: %ls$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid detection type: %ls$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$UninstallArguments$Uninstallable$arp$burn$condition$d:\a\wix4\wix4\src\burn\user\exeuser.cpp$netfx4$none
                                                                                                                                                            • API String ID: 702752599-1746888974
                                                                                                                                                            • Opcode ID: 932d83834401bb887e60d396b179be2b9ea8d4eb08eb0e6413722c878b3acf85
                                                                                                                                                            • Instruction ID: 7f22cff7ecdf3a1c348d0cab32827bcfc4b4a4767297febb7e38ff7d2ad84b20
                                                                                                                                                            • Opcode Fuzzy Hash: 932d83834401bb887e60d396b179be2b9ea8d4eb08eb0e6413722c878b3acf85
                                                                                                                                                            • Instruction Fuzzy Hash: 8AE13D72B80235B6D6316D505C4AFEB992C8B05F23F614123FA18BF2C1D2ACAF0195ED
                                                                                                                                                            Function 0045B193 Relevance: 66.9, APIs: 9, Strings: 29, Instructions: 385COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,00000000,?,00000000,00000000), ref: 0045B1BE
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 0045B1DD
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareString
                                                                                                                                                            • String ID: Failed to allocate application identity.$Failed to allocate application summary.$Failed to allocate application title.$Failed to allocate application type.$Failed to allocate content type.$Failed to allocate content.$Failed to allocate enclosures for application update entry.$Failed to allocate upgrade id.$Failed to compare version to upgrade version.$Failed to parse enclosure.$Failed to parse upgrade version string '%ls' from ATOM entry.$Failed to parse version string '%ls' from ATOM entry.$Upgrade version is greater than or equal to application version.$application$clbcatq.dll$comres.dll$crypt32.dll$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$msasn1.dll$msi.dll$true$type$upgrade$version$version.dll$wininet.dll
                                                                                                                                                            • API String ID: 1825529933-1736944660
                                                                                                                                                            • Opcode ID: bbf728d2d0a4e2a4fd21476b3e6f5e47792c34d7798d5f95040f9f54e9140e64
                                                                                                                                                            • Instruction ID: 24d0c048dc6469e45c80201d368a95611ad3d6aac3959dd8cba3e6f07ad843bf
                                                                                                                                                            • Opcode Fuzzy Hash: bbf728d2d0a4e2a4fd21476b3e6f5e47792c34d7798d5f95040f9f54e9140e64
                                                                                                                                                            • Instruction Fuzzy Hash: ADD10830680705FBDB219B44CC46F5B76A5EB40B26F304656FA20BB2D3EB78E904CB58
                                                                                                                                                            Function 003FBA68 Relevance: 65.2, APIs: 6, Strings: 31, Instructions: 490COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(00000000,00000000,003F7D9B,003F7DDB,?,004140B9,?,?,003F7D5B,?,?,?,?,?,003F7D9B), ref: 003FBA98
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(00000000,?,004140B9,?,?,003F7D5B,?,?,?,?,?,003F7D9B), ref: 003FC00D
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                            • String ID: Attempt to add built-in variable: %ls$Attempt to add variable again: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant value.$Hidden$Initializing formatted variable '%ls' to value '%ls'$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$d:\a\wix4\wix4\src\burn\user\variable.cpp$formatted$numeric$string$version
                                                                                                                                                            • API String ID: 3168844106-1770900757
                                                                                                                                                            • Opcode ID: 958a4856e755c8a6a3921b693719b1eb6422b1ac5d70415f1a9a53e823326ed2
                                                                                                                                                            • Instruction ID: 454a2de4f48ec70b0329ad2472d79582f83ccafb531ec26faad95bcec6801b43
                                                                                                                                                            • Opcode Fuzzy Hash: 958a4856e755c8a6a3921b693719b1eb6422b1ac5d70415f1a9a53e823326ed2
                                                                                                                                                            • Instruction Fuzzy Hash: ABF1E4B1A8021DFBDB129A80CC06FFFBA799F44B10F250015F714BA1E1EBB59A409B59
                                                                                                                                                            Function 0045A38B Relevance: 54.6, APIs: 8, Strings: 23, Instructions: 334COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,00000000,rel,00000000,?,?,?,00000000), ref: 0045A40F
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0045A6E8
                                                                                                                                                            Strings
                                                                                                                                                            • href, xrefs: 0045A442
                                                                                                                                                            • Failed to parse unknown ATOM link element: %ls, xrefs: 0045A692
                                                                                                                                                            • msi.dll, xrefs: 0045A624
                                                                                                                                                            • Failed to get child nodes of ATOM link element., xrefs: 0045A5F7
                                                                                                                                                            • rel, xrefs: 0045A403
                                                                                                                                                            • Failed to parse ATOM link length., xrefs: 0045A4BF
                                                                                                                                                            • crypt32.dll, xrefs: 0045A45F
                                                                                                                                                            • Failed to allocate ATOM link type., xrefs: 0045A53B
                                                                                                                                                            • Failed to allocate ATOM link value., xrefs: 0045A6C2
                                                                                                                                                            • Failed to process all ATOM link attributes., xrefs: 0045A5C6
                                                                                                                                                            • Failed to process all ATOM link elements., xrefs: 0045A67E
                                                                                                                                                            • title, xrefs: 0045A4D4
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 0045A3CD, 0045A6A1, 0045A6D1
                                                                                                                                                            • length, xrefs: 0045A484
                                                                                                                                                            • comres.dll, xrefs: 0045A49E
                                                                                                                                                            • Failed to allocate ATOM link rel., xrefs: 0045A42D
                                                                                                                                                            • msasn1.dll, xrefs: 0045A6B6
                                                                                                                                                            • Failed get attributes for ATOM link., xrefs: 0045A3BE
                                                                                                                                                            • Failed to allocate ATOM link href., xrefs: 0045A46F
                                                                                                                                                            • Failed to parse unknown ATOM link attribute: %ls, xrefs: 0045A5B0
                                                                                                                                                            • version.dll, xrefs: 0045A552
                                                                                                                                                            • Failed to allocate ATOM link title., xrefs: 0045A4FD
                                                                                                                                                            • type, xrefs: 0045A512
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: String$CompareFree
                                                                                                                                                            • String ID: Failed get attributes for ATOM link.$Failed to allocate ATOM link href.$Failed to allocate ATOM link rel.$Failed to allocate ATOM link title.$Failed to allocate ATOM link type.$Failed to allocate ATOM link value.$Failed to get child nodes of ATOM link element.$Failed to parse ATOM link length.$Failed to parse unknown ATOM link attribute: %ls$Failed to parse unknown ATOM link element: %ls$Failed to process all ATOM link attributes.$Failed to process all ATOM link elements.$comres.dll$crypt32.dll$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
                                                                                                                                                            • API String ID: 3589242889-4187876800
                                                                                                                                                            • Opcode ID: 4552f83995688cf9361d9a600e1b3ec26cd05e081c8f3ef0424c4d3ca7329f91
                                                                                                                                                            • Instruction ID: 5babf9aa7c1b73a5d24ad390924ccb1893e53c32a8f430e6932e5aed0ceb57a0
                                                                                                                                                            • Opcode Fuzzy Hash: 4552f83995688cf9361d9a600e1b3ec26cd05e081c8f3ef0424c4d3ca7329f91
                                                                                                                                                            • Instruction Fuzzy Hash: FFB11631640308FBDF119B91CC49F6F3B79EB84B12F25015AF900A7192EB78DA14DB59
                                                                                                                                                            Function 00453559 Relevance: 45.9, APIs: 10, Strings: 16, Instructions: 391fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateFileW.KERNEL32(00000024,80000000,00000024,00000000,00000003,08000080,00000000,00000000,00000000,00000024,000000F8,00000001,00000000,000000F8,00000024,?), ref: 0045364E
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0045365C
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0045366E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$CreateFile
                                                                                                                                                            • String ID: *wzSrcPath is null$Failed to allocate memory to read in file: %ls$Failed to completely read file: %ls$Failed to get size of file: %ls$Failed to load file: %ls, too large.$Failed to open file: %ls$Failed to re-allocate memory to read in file: %ls$Failed to read from file: %ls$Failed to seek position %d$Invalid argument pcbDest$Invalid argument ppbDest$Invalid argument wzSrcPath$Start position %d bigger than file '%ls' size %llu$Underflow calculating remaining buffer size.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 1722934493-1253360392
                                                                                                                                                            • Opcode ID: 065de05257d1c15495af44b0a12438af728d56c362d2fe5d99dec4056e963ec6
                                                                                                                                                            • Instruction ID: 29e782a7d750bcddc96816101b3769b53b1c797b29a22d6ba79c7dfc9fbea2b2
                                                                                                                                                            • Opcode Fuzzy Hash: 065de05257d1c15495af44b0a12438af728d56c362d2fe5d99dec4056e963ec6
                                                                                                                                                            • Instruction Fuzzy Hash: 05C12DB1E40319BBEB215E509C4AF7F75649F44B93F11451AFE05BB2C2E6B89E0087A8
                                                                                                                                                            Function 0040B6BD Relevance: 42.2, APIs: 9, Strings: 15, Instructions: 250sleepfileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,?), ref: 0040B729
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040B737
                                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 0040B75B
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                                                                                            • String ID: @1#v$Failed to allocate name of parent cache pipe.$Failed to allocate name of parent logging pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent cache pipe: %ls$Failed to open parent logging pipe: %ls$Failed to open parent pipe: %ls$Failed to verify parent cache pipe: %ls$Failed to verify parent logging pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$\\.\pipe\%ls.Log$d:\a\wix4\wix4\src\burn\user\pipe.cpp
                                                                                                                                                            • API String ID: 408151869-3470194919
                                                                                                                                                            • Opcode ID: f06c2c3f003052cb9e7d6bd1fdc8bd8a225562f7603404d6e627c7eced4344e6
                                                                                                                                                            • Instruction ID: bdce3435a4b5f876cab27934e1b6b08358619c4dff85d83b2a6c0acd74ea7eeb
                                                                                                                                                            • Opcode Fuzzy Hash: f06c2c3f003052cb9e7d6bd1fdc8bd8a225562f7603404d6e627c7eced4344e6
                                                                                                                                                            • Instruction Fuzzy Hash: D771EBB2D80725F7E72256918C4AF6A6918DF04B21F214136FF04BB2D1E3BC9D1096DE
                                                                                                                                                            Function 00429A95 Relevance: 38.8, APIs: 3, Strings: 19, Instructions: 304COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00429AD9
                                                                                                                                                              • Part of subcall function 0044BFC9: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,003F6E9A,00000001,003F6DEA,?,?,?,00457562,00000000), ref: 0044BFE1
                                                                                                                                                              • Part of subcall function 0044BFC9: GetProcAddress.KERNEL32(00000000), ref: 0044BFE8
                                                                                                                                                              • Part of subcall function 0044BFC9: GetLastError.KERNEL32(?,?,?,00457562,00000000), ref: 0044C010
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,?,?), ref: 00429DF5
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,?,?), ref: 00429E04
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to allocate WUSA.exe path., xrefs: 00429B7B
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\msuuser.cpp, xrefs: 00429AFD, 00429BE2, 00429D59
                                                                                                                                                            • Failed to get action arguments for MSU package., xrefs: 00429B9B
                                                                                                                                                            • Failed to append log switch to MSU command-line., xrefs: 00429C8E
                                                                                                                                                            • Failed to build MSU path., xrefs: 00429C20
                                                                                                                                                            • /log:, xrefs: 00429C7A
                                                                                                                                                            • Failed to find System32 directory., xrefs: 00429B50
                                                                                                                                                            • wusa.exe, xrefs: 00429B68
                                                                                                                                                            • Failed to format MSU install command., xrefs: 00429C54
                                                                                                                                                            • "%ls" "%ls" /quiet /norestart, xrefs: 00429C40
                                                                                                                                                            • Failed to append SysNative directory., xrefs: 00429B31
                                                                                                                                                            • Failed to ensure WU service was enabled to install MSU package., xrefs: 00429D10
                                                                                                                                                            • .#v@1#v, xrefs: 00429DF5, 00429E04
                                                                                                                                                            • SysNative\, xrefs: 00429B21
                                                                                                                                                            • Failed to run MSU process, xrefs: 00429D47
                                                                                                                                                            • Failed to get cached path for package: %ls, xrefs: 00429BD0
                                                                                                                                                            • WixBundleExecutePackageCacheFolder, xrefs: 00429BFB, 00429E1E
                                                                                                                                                            • Failed to append log path to MSU command-line., xrefs: 00429CBA
                                                                                                                                                            • Failed to determine WOW64 status., xrefs: 00429AEB
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
                                                                                                                                                            • String ID: /log:$"%ls" "%ls" /quiet /norestart$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to format MSU install command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to run MSU process$SysNative\$WixBundleExecutePackageCacheFolder$d:\a\wix4\wix4\src\burn\user\msuuser.cpp$wusa.exe$.#v@1#v
                                                                                                                                                            • API String ID: 1400713077-604094543
                                                                                                                                                            • Opcode ID: 64a7de40596daba08ad6f1889afac592da98420f22ab776b6deb05a1d8ad1308
                                                                                                                                                            • Instruction ID: 4c1271ccdd43e3c2c36834f3c85a4e474bd9d228aefc906198e77496b13db017
                                                                                                                                                            • Opcode Fuzzy Hash: 64a7de40596daba08ad6f1889afac592da98420f22ab776b6deb05a1d8ad1308
                                                                                                                                                            • Instruction Fuzzy Hash: 9BA1C431F40629BBEF129E94DC46FEF7A65AF04700F510066FA04BA2D0D7B99D50DA98
                                                                                                                                                            Function 00436421 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 295COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00455CB8: UuidCreate.RPCRT4(?), ref: 00455CDB
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000,08000000,00000000,00000000,?,?,?,?,?), ref: 004367B4
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000,08000000,00000000,00000000,?,?,?,?,?), ref: 004367CD
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandle$CreateUuid
                                                                                                                                                            • String ID: %ls$%ls /pipe %ls$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate section name.$Failed to append netfx chainer args.$Failed to append user args.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxEvent.%ls$NetFxSection.%ls$d:\a\wix4\wix4\src\burn\user\netfxchainer.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 264999607-3388123532
                                                                                                                                                            • Opcode ID: afc01ff0e3b8b76a8369b9ee02054d7285ef69dcfd6b94c64a68f0bc37268e41
                                                                                                                                                            • Instruction ID: 0e5b60d7fecfb65fc3ec289da52aefd2cc107e198e17c87106a6a574210b0ada
                                                                                                                                                            • Opcode Fuzzy Hash: afc01ff0e3b8b76a8369b9ee02054d7285ef69dcfd6b94c64a68f0bc37268e41
                                                                                                                                                            • Instruction Fuzzy Hash: 83A17631E40329BBDB219BA4CC46FDE7BB4EB08715F118166F908FB281D7789D448B99
                                                                                                                                                            Function 0042180C Relevance: 37.0, APIs: 4, Strings: 17, Instructions: 261COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array$Failed to resize Detect code array$Failed to resize Patch code array$Failed to resize Upgrade code array$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$d:\a\wix4\wix4\src\burn\user\bundlepackageuser.cpp
                                                                                                                                                            • API String ID: 0-738192170
                                                                                                                                                            • Opcode ID: 701c904980d379f1e6b857c6d8954a809d6f43bcec217b2779571364cca4c443
                                                                                                                                                            • Instruction ID: 1e8ae5dbd69b51303150a1ebc50f2c14857e7dbe8cfbcd442b1f3835a80696e4
                                                                                                                                                            • Opcode Fuzzy Hash: 701c904980d379f1e6b857c6d8954a809d6f43bcec217b2779571364cca4c443
                                                                                                                                                            • Instruction Fuzzy Hash: 74910130B80315BBDB11DE40DC46FAE3B72AB95B21F61411AF6247B2E0DAB89941DB19
                                                                                                                                                            Function 00407A4E Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 213registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000), ref: 00407CDA
                                                                                                                                                              • Part of subcall function 0044D789: RegSetValueExW.ADVAPI32(?,00407A20,003F6CF2,EstimatedSize,000000FF,003F6CF2,00000000,?,00409AF0,00000000,00000390,000000F8,003F6CF2,004131C1,00000000,00000000), ref: 0044D7AD
                                                                                                                                                            • RegDeleteValueW.ADVAPI32(00000000,?,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000), ref: 00407C1F
                                                                                                                                                            • RegDeleteValueW.ADVAPI32(004131C1,BundleResumeCommandLine,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000), ref: 00407C6F
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value$Delete$Close
                                                                                                                                                            • String ID: "%ls" /%ls /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to open run key.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$burn.clean.room$burn.runonce$d:\a\wix4\wix4\src\burn\user\registration.cpp
                                                                                                                                                            • API String ID: 1871269255-1559682262
                                                                                                                                                            • Opcode ID: 89520e888e436b052edd580da9126860931aa221b3744aa352662dda9e0934d3
                                                                                                                                                            • Instruction ID: c5b9465c75a6ed2d406c10defde5bfa947abe07df9f6ad995636c3c3fdd85e70
                                                                                                                                                            • Opcode Fuzzy Hash: 89520e888e436b052edd580da9126860931aa221b3744aa352662dda9e0934d3
                                                                                                                                                            • Instruction Fuzzy Hash: F7511931E88725B6FB215A50CC4AFAF7A149B00B15F150137BA017A1C1E6BCBD509AEF
                                                                                                                                                            Function 003FC989 Relevance: 32.0, APIs: 7, Strings: 11, Instructions: 496COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetStringTypeW.KERNEL32(00000001,?,00000001,?,00000018,?,00000000,00000000), ref: 003FC9C4
                                                                                                                                                            • GetStringTypeW.KERNEL32(00000001,?,00000001,00000048), ref: 003FCBEA
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: StringType
                                                                                                                                                            • String ID: AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to set symbol value.$NOT$Symbol was too long: %ls$d:\a\wix4\wix4\src\burn\user\condition.cpp
                                                                                                                                                            • API String ID: 4177115715-3768719858
                                                                                                                                                            • Opcode ID: a7be446a66895bf8bb0ffbfd431d677ebc9a973ae383aefb38ded018d54b2ca6
                                                                                                                                                            • Instruction ID: 63c1ae56c32be3a8c07281a572e4cd992b95f72544faac49d6306ffd6e7e2494
                                                                                                                                                            • Opcode Fuzzy Hash: a7be446a66895bf8bb0ffbfd431d677ebc9a973ae383aefb38ded018d54b2ca6
                                                                                                                                                            • Instruction Fuzzy Hash: 0202F2716E030DBADB268F54CE89BBABA69FB04700F205116FB059E6C1D3F5DA80D791
                                                                                                                                                            Function 004304DF Relevance: 31.8, APIs: 2, Strings: 16, Instructions: 347threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetExitCodeThread.KERNEL32(?,00000160,00000001,003F6CF2,00000000,000000FF,003F6DA2,00000000,000000B0,003F6CF2,003F6CF2,004130D0,00000160,?,003F6DA2), ref: 004305A1
                                                                                                                                                            • GetLastError.KERNEL32 ref: 004305AF
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to wait for cache check-point., xrefs: 00430883
                                                                                                                                                            • Failed to get cache thread exit code., xrefs: 004305DF
                                                                                                                                                            • Failed to execute related bundle., xrefs: 00430614
                                                                                                                                                            • Failed to execute uninstall MSI compatible package., xrefs: 00430897
                                                                                                                                                            • Failed to execute MSP package., xrefs: 004306F6
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\apply.cpp, xrefs: 004305D3, 004305D9, 004305ED, 00430850, 0043085B, 00430878, 004308C4
                                                                                                                                                            • Failed to execute BUNDLE package., xrefs: 0043064C
                                                                                                                                                            • Failed to execute begin MSI transaction action., xrefs: 004307C2
                                                                                                                                                            • Failed to execute dependency action., xrefs: 00430791
                                                                                                                                                            • Failed to execute MSI package., xrefs: 004306BD
                                                                                                                                                            • Failed to execute package provider registration action., xrefs: 00430764
                                                                                                                                                            • Failed to execute commit MSI transaction action., xrefs: 004307EF
                                                                                                                                                            • Failed to execute MSU package., xrefs: 00430737
                                                                                                                                                            • Cache thread exited unexpectedly with exit code: %u., xrefs: 00430866
                                                                                                                                                            • Invalid execute action., xrefs: 004308AB
                                                                                                                                                            • Failed to execute EXE package., xrefs: 00430684
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CodeErrorExitLastThread
                                                                                                                                                            • String ID: Cache thread exited unexpectedly with exit code: %u.$Failed to execute BUNDLE package.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute begin MSI transaction action.$Failed to execute commit MSI transaction action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to execute related bundle.$Failed to execute uninstall MSI compatible package.$Failed to get cache thread exit code.$Failed to wait for cache check-point.$Invalid execute action.$d:\a\wix4\wix4\src\burn\user\apply.cpp
                                                                                                                                                            • API String ID: 1352145401-3642936599
                                                                                                                                                            • Opcode ID: 90a462eb68d2d71734f438c41c2859ae6ce6da68cc79ec19438e585a05c6fcb6
                                                                                                                                                            • Instruction ID: 2a9c33801816d69d08e7ff71949ad3c8e4fde3aceb3ebc6d0a79dc2fe105cb60
                                                                                                                                                            • Opcode Fuzzy Hash: 90a462eb68d2d71734f438c41c2859ae6ce6da68cc79ec19438e585a05c6fcb6
                                                                                                                                                            • Instruction Fuzzy Hash: 96B1D231A41219BBEF15DE45CC56FAF7B68EB08B50F105166FA04BA2D1E2B4DD40CBE8
                                                                                                                                                            Function 004591C4 Relevance: 31.8, APIs: 6, Strings: 12, Instructions: 254COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0045943E
                                                                                                                                                            Strings
                                                                                                                                                            • Failed get attributes on ATOM unknown element., xrefs: 004591F7
                                                                                                                                                            • Failed to allocate ATOM category term., xrefs: 00459341
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 00459206, 00459402, 00459423
                                                                                                                                                            • Failed to allocate ATOM category scheme., xrefs: 004592A0
                                                                                                                                                            • term, xrefs: 004592B6
                                                                                                                                                            • Failed to get child nodes of ATOM category element., xrefs: 00459372
                                                                                                                                                            • scheme, xrefs: 00459275
                                                                                                                                                            • Failed to process all ATOM category elements., xrefs: 004593F3
                                                                                                                                                            • Failed to process all ATOM category attributes., xrefs: 0045932D
                                                                                                                                                            • label, xrefs: 00459233
                                                                                                                                                            • Failed to allocate ATOM category label., xrefs: 0045925F
                                                                                                                                                            • Failed to parse unknown ATOM category element: %ls, xrefs: 00459414
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeString
                                                                                                                                                            • String ID: Failed get attributes on ATOM unknown element.$Failed to allocate ATOM category label.$Failed to allocate ATOM category scheme.$Failed to allocate ATOM category term.$Failed to get child nodes of ATOM category element.$Failed to parse unknown ATOM category element: %ls$Failed to process all ATOM category attributes.$Failed to process all ATOM category elements.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$label$scheme$term
                                                                                                                                                            • API String ID: 3341692771-530868315
                                                                                                                                                            • Opcode ID: ee0076e25455387b73f204a20a46927c644a3ca35532db10ca2b94bd793da684
                                                                                                                                                            • Instruction ID: 7a1615741592413cbb2bb34a56afeddb3e61433ed1effd75fdcd1045cd1b7591
                                                                                                                                                            • Opcode Fuzzy Hash: ee0076e25455387b73f204a20a46927c644a3ca35532db10ca2b94bd793da684
                                                                                                                                                            • Instruction Fuzzy Hash: DB812431A44308FBDB059B90CC49F6E7775AB84716F20006AF911BB2E2DB78EE458B18
                                                                                                                                                            Function 00409489 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 236COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: "%ls" /%ls /uninstall /quiet$Comments$Contact$Failed to delete %ls value.$Failed to write %ls value.$HelpLink$HelpTelephone$NoModify$NoRemove$ParentDisplayName$ParentKeyName$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$burn.clean.room$d:\a\wix4\wix4\src\burn\user\registration.cpp
                                                                                                                                                            • API String ID: 0-3056233166
                                                                                                                                                            • Opcode ID: 8300fb9bf8c704d9e6feb160323fbddf587698d3235f6c447b95f62a811d4ed1
                                                                                                                                                            • Instruction ID: 342979a029c825cbb348ffadf110c0d5990d9ffa9dd5f3b18d0ddedf944f884d
                                                                                                                                                            • Opcode Fuzzy Hash: 8300fb9bf8c704d9e6feb160323fbddf587698d3235f6c447b95f62a811d4ed1
                                                                                                                                                            • Instruction Fuzzy Hash: 8A61F532B88761B2EB3219168C5EF672C249B85F18F114077FE047E2D3A6B89D41D69E
                                                                                                                                                            Function 00459491 Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 245COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 004596EC
                                                                                                                                                            Strings
                                                                                                                                                            • Failed get attributes on ATOM unknown element., xrefs: 004594C4
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 004594D3, 004596A4, 004596D5
                                                                                                                                                            • Failed to parse unknown ATOM content element: %ls, xrefs: 00459695
                                                                                                                                                            • Failed to process all ATOM content attributes., xrefs: 004595B5
                                                                                                                                                            • Failed to allocate ATOM content value., xrefs: 004596C6
                                                                                                                                                            • crypt32.dll, xrefs: 00459627
                                                                                                                                                            • Failed to allocate ATOM content type., xrefs: 00459528
                                                                                                                                                            • Failed to get child nodes of ATOM content element., xrefs: 004595FA
                                                                                                                                                            • url, xrefs: 0045953E
                                                                                                                                                            • Failed to allocate ATOM content scheme., xrefs: 004595C9
                                                                                                                                                            • type, xrefs: 00459500
                                                                                                                                                            • Failed to process all ATOM content elements., xrefs: 00459681
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeString
                                                                                                                                                            • String ID: Failed get attributes on ATOM unknown element.$Failed to allocate ATOM content scheme.$Failed to allocate ATOM content type.$Failed to allocate ATOM content value.$Failed to get child nodes of ATOM content element.$Failed to parse unknown ATOM content element: %ls$Failed to process all ATOM content attributes.$Failed to process all ATOM content elements.$crypt32.dll$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$type$url
                                                                                                                                                            • API String ID: 3341692771-2309346703
                                                                                                                                                            • Opcode ID: 6f5107c2ed1202d6db39430b2c8b55b723a1c7f3809ed71ba5afe7907839b79f
                                                                                                                                                            • Instruction ID: 2ba3d5286e3d6cd0094cbedecdeb8d4b4c52a54a463e98bc058bb673c29561ef
                                                                                                                                                            • Opcode Fuzzy Hash: 6f5107c2ed1202d6db39430b2c8b55b723a1c7f3809ed71ba5afe7907839b79f
                                                                                                                                                            • Instruction Fuzzy Hash: 7A81F335A40308FBDB059B90CC09FAE7775AF44B16F24006AF915AB2D2EB74DE08CB58
                                                                                                                                                            Function 0040C2ED Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 197pipesleepstringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • lstrlenW.KERNEL32(0001C580,003F73DE,00000000,003F6CF2,00009002,?,000000B0,00000000,00000000,000000B0,?,?,003F6CF2,00000000,00000000), ref: 0040C320
                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,003F6CF2,00000000,00000000), ref: 0040C32B
                                                                                                                                                            • SetNamedPipeHandleState.KERNEL32(?,00000000,00000000), ref: 0040C357
                                                                                                                                                            • ConnectNamedPipe.KERNEL32(?,00000000), ref: 0040C368
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040C372
                                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 0040C39E
                                                                                                                                                            • SetNamedPipeHandleState.KERNEL32(?,00000001,00000000,00000000), ref: 0040C3CF
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040C4BB
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040C4F2
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastNamedPipe$HandleState$ConnectCurrentProcessSleeplstrlen
                                                                                                                                                            • String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$d:\a\wix4\wix4\src\burn\user\pipe.cpp
                                                                                                                                                            • API String ID: 3141773871-2019809298
                                                                                                                                                            • Opcode ID: c605241d00f3ca8ff58fbcdb5bb0e9d9754b312b07f1192445e1d4aeb9cf6ef0
                                                                                                                                                            • Instruction ID: 9ea81e3b53c486e11bc9d0285e0bda34f3d04a001eba144086f152647b2a9bae
                                                                                                                                                            • Opcode Fuzzy Hash: c605241d00f3ca8ff58fbcdb5bb0e9d9754b312b07f1192445e1d4aeb9cf6ef0
                                                                                                                                                            • Instruction Fuzzy Hash: 8751C572D40225FBD7119B958CC5BBF75A8AB08B11F11423AFE04FB2C0E6B89D0146EA
                                                                                                                                                            Function 003F4B8A Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 195fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetTempFileNameW.KERNEL32(00000000,000000F6,?,00000000,00000000,00000104,00000000,7FFFFFFF,?,d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp,00000000,?), ref: 003F4C12
                                                                                                                                                            • GetLastError.KERNEL32 ref: 003F4C20
                                                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000005,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,?,d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp,00000000,?), ref: 003F4CB8
                                                                                                                                                            • GetLastError.KERNEL32 ref: 003F4CC5
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLast$CreateNameTemp
                                                                                                                                                            • String ID: %ls%x.TMP$Failed to allocate buffer for GetTempFileNameW.$Failed to allocate memory for file template.$Failed to allocate temp file name.$Failed to copy temp file string.$Failed to create file: %ls$Failed to create new temp file name.$Failed to create temp file.$Failed to get length of path to prefix.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 2316751675-1803602119
                                                                                                                                                            • Opcode ID: 89ede8953d9207c65ade0f0be56efd9cac76e3a134df50cc0ab8b848b5ba5ba6
                                                                                                                                                            • Instruction ID: cc9b22b78cd6b7fc43866463fb6bab14d9c95bfe75e995e27f164ff183903b9c
                                                                                                                                                            • Opcode Fuzzy Hash: 89ede8953d9207c65ade0f0be56efd9cac76e3a134df50cc0ab8b848b5ba5ba6
                                                                                                                                                            • Instruction Fuzzy Hash: CA515B31A4132DB6EB331A558C4AFBF3A68DF00B21F124221BF14BF1D3E2749D149695
                                                                                                                                                            Function 00435BAD Relevance: 29.9, APIs: 4, Strings: 13, Instructions: 177COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,00000000,00000001,?,?,00420D82,00431FD9,8000FFFF,003F6DA2,00000008,00000000,00000000,?,?,8000FFFF,-000000AB), ref: 00435BB6
                                                                                                                                                            • GetProcessId.KERNEL32(?,00000000,?,00000001,08000000,00000000,00000000,?,?,?,00000000,00000000,00000000,00000004,00000000), ref: 00435CDD
                                                                                                                                                              • Part of subcall function 0040C2ED: lstrlenW.KERNEL32(0001C580,003F73DE,00000000,003F6CF2,00009002,?,000000B0,00000000,00000000,000000B0,?,?,003F6CF2,00000000,00000000), ref: 0040C320
                                                                                                                                                              • Part of subcall function 0040C2ED: GetCurrentProcessId.KERNEL32(?,?,003F6CF2,00000000,00000000), ref: 0040C32B
                                                                                                                                                              • Part of subcall function 0040C2ED: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000), ref: 0040C357
                                                                                                                                                              • Part of subcall function 0040C2ED: ConnectNamedPipe.KERNEL32(?,00000000), ref: 0040C368
                                                                                                                                                              • Part of subcall function 0040C2ED: GetLastError.KERNEL32 ref: 0040C372
                                                                                                                                                              • Part of subcall function 0040C2ED: Sleep.KERNEL32(00000064), ref: 0040C39E
                                                                                                                                                              • Part of subcall function 0040C2ED: SetNamedPipeHandleState.KERNEL32(?,00000001,00000000,00000000), ref: 0040C3CF
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,000000FF,00420D82,?,00435B00,8000FFFF,00000008,00000000,?,?,00000000,00000000,00000000,00000004,00000000), ref: 00435D7A
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,000000FF,00420D82,?,00435B00,8000FFFF,00000008,00000000,?,?,00000000,00000000,00000000,00000004,00000000), ref: 00435D8D
                                                                                                                                                            Strings
                                                                                                                                                            • %ls, xrefs: 00435C7B
                                                                                                                                                            • Failed to append user args., xrefs: 00435C8F
                                                                                                                                                            • Failed to create embedded pipe., xrefs: 00435C27
                                                                                                                                                            • %ls -%ls %ls %ls %u, xrefs: 00435C4A
                                                                                                                                                            • Failed to wait for embedded executable: %ls, xrefs: 00435D55
                                                                                                                                                            • Failed to append embedded args., xrefs: 00435C5E
                                                                                                                                                            • Failed to process messages from embedded message., xrefs: 00435D2B
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\embedded.cpp, xrefs: 00435C07, 00435D64
                                                                                                                                                            • Failed to create embedded pipe name and client token., xrefs: 00435BF8
                                                                                                                                                            • .#v@1#v, xrefs: 00435D7A, 00435D8D
                                                                                                                                                            • Failed to create embedded process at path: %ls, xrefs: 00435CC6
                                                                                                                                                            • Failed to wait for embedded process to connect to pipe., xrefs: 00435CFC
                                                                                                                                                            • burn.embedded, xrefs: 00435C42
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Handle$NamedPipeProcess$CloseCurrentState$ConnectErrorLastSleeplstrlen
                                                                                                                                                            • String ID: %ls$%ls -%ls %ls %ls %u$Failed to append embedded args.$Failed to append user args.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$d:\a\wix4\wix4\src\burn\user\embedded.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 732280565-3912030209
                                                                                                                                                            • Opcode ID: 6527b4597df3cc4ba4f1389868bb3c317ee3d8a19e0454ad5b715492d8db3646
                                                                                                                                                            • Instruction ID: e6204fc0012ab77398d4461e391f68367a86a9d58cff0b58f611ca146281a3a2
                                                                                                                                                            • Opcode Fuzzy Hash: 6527b4597df3cc4ba4f1389868bb3c317ee3d8a19e0454ad5b715492d8db3646
                                                                                                                                                            • Instruction Fuzzy Hash: 3C51D731A80B19BBDB129B94CC0AFDF7A74DF08B25F205116FA04BA1D1D3B899508BDD
                                                                                                                                                            Function 004577DD Relevance: 28.3, APIs: 6, Strings: 10, Instructions: 297filememoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,000000FF,?,?,00000078,00000000), ref: 00457817
                                                                                                                                                            • GetLastError.KERNEL32 ref: 00457825
                                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 00457883
                                                                                                                                                            • GetLastError.KERNEL32 ref: 00457892
                                                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00457B0C
                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00457B1B
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
                                                                                                                                                            • String ID: Content-Length not returned for URL: %ls$Failed to allocate buffer to download files into.$Failed to allocate range request header.$Failed to create download destination file: %ls$Failed to request URL for download: %ls$Failed while reading from internet and writing to: %ls$GET$Range request not supported for URL: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 2028584396-1659921012
                                                                                                                                                            • Opcode ID: c1856c64062dc19c457c143b6a10ab034149c462b7c59c56ac1b773d0ca01c6f
                                                                                                                                                            • Instruction ID: c0bec32da9e2ee7443023ba750133a3b1796dbfc59187328d5b1f3ac6fac6077
                                                                                                                                                            • Opcode Fuzzy Hash: c1856c64062dc19c457c143b6a10ab034149c462b7c59c56ac1b773d0ca01c6f
                                                                                                                                                            • Instruction Fuzzy Hash: F4A1A271E04219BBDB11DF959C85FAFBA74AF48711F11412AFE04B7281D7788E04CBA8
                                                                                                                                                            Function 00407249 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 263COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 00407456
                                                                                                                                                              • Part of subcall function 003F540B: GetProcessHeap.KERNEL32(?,?,?,0041DDCD,?,00000000), ref: 003F541C
                                                                                                                                                              • Part of subcall function 003F540B: RtlAllocateHeap.NTDLL(00000000,?,0041DDCD,?,00000000), ref: 003F5423
                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 00407400
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeHeapString$AllocateProcess
                                                                                                                                                            • String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$d:\a\wix4\wix4\src\burn\user\registration.cpp
                                                                                                                                                            • API String ID: 336948655-1873729996
                                                                                                                                                            • Opcode ID: ae6329666a62a1b31a7550bce5f997de06c2f3600b0e8140b72b4a58980c6af1
                                                                                                                                                            • Instruction ID: 747dd406a3b6c5b79d32c1a91e16ea9e2d120afb287239419d488a290aebeb6c
                                                                                                                                                            • Opcode Fuzzy Hash: ae6329666a62a1b31a7550bce5f997de06c2f3600b0e8140b72b4a58980c6af1
                                                                                                                                                            • Instruction Fuzzy Hash: BF812571F44314BBEB119A518C4AF6F7B659B84B11F21407EFE04BB2C2E6B8BD01865E
                                                                                                                                                            Function 0041D370 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 146windowregistryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegisterClassW.USER32(?), ref: 0041D3C1
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041D3CC
                                                                                                                                                            • CreateWindowExW.USER32(08000000,004722B4,00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0041D439
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041D445
                                                                                                                                                            • ShowWindow.USER32(00000000,00000008), ref: 0041D486
                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 0041D497
                                                                                                                                                            • IsDialogMessageW.USER32(?,?), ref: 0041D4AB
                                                                                                                                                            • TranslateMessage.USER32(?), ref: 0041D4B9
                                                                                                                                                            • DispatchMessageW.USER32(?), ref: 0041D4C3
                                                                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0041D4D0
                                                                                                                                                            • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 0041D508
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message$ClassErrorLastWindow$CreateDialogDispatchEventRegisterShowTranslateUnregister
                                                                                                                                                            • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$d:\a\wix4\wix4\src\burn\user\uithread.cpp
                                                                                                                                                            • API String ID: 1467104317-2033051560
                                                                                                                                                            • Opcode ID: d098738228380f4dd3a5140b0a277139b0992090da082482292be38af9acd63b
                                                                                                                                                            • Instruction ID: a0dbf32cc79c5daf834d3c6da0e51815e6fdc96d028a3650cbe1391bb251ab8c
                                                                                                                                                            • Opcode Fuzzy Hash: d098738228380f4dd3a5140b0a277139b0992090da082482292be38af9acd63b
                                                                                                                                                            • Instruction Fuzzy Hash: A841C772D40224BBDB118F959C09FDEBB78EF04711F108166F908BB291D7B8E940CAA4
                                                                                                                                                            Function 00401481 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 251registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,003F7162,003F6DEA,00000000,C95B5EC6,?,?,7D8B5756,?,003F6CF2,00000000,00000000,003F6DEA,003F7162,878D5010,003F6CF2), ref: 00401737
                                                                                                                                                            Strings
                                                                                                                                                            • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 004015AC
                                                                                                                                                            • Failed to read registry value., xrefs: 0040169A
                                                                                                                                                            • Failed to query registry key value., xrefs: 004015C3
                                                                                                                                                            • Failed to open registry key., xrefs: 00401550
                                                                                                                                                            • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 0040170F
                                                                                                                                                            • Registry key not found. Key = '%ls', xrefs: 0040156E
                                                                                                                                                            • Unsupported registry key value type. Type = '%u', xrefs: 00401613
                                                                                                                                                            • Failed to format key string., xrefs: 004014C9
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\search.cpp, xrefs: 004015FF, 0040160A, 00401625, 004016FB
                                                                                                                                                            • Failed to format value string., xrefs: 004014FB
                                                                                                                                                            • Failed to set variable., xrefs: 004016E9
                                                                                                                                                            • Failed to change value type., xrefs: 004016C0
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Failed to change value type.$Failed to format key string.$Failed to format value string.$Failed to open registry key.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$d:\a\wix4\wix4\src\burn\user\search.cpp
                                                                                                                                                            • API String ID: 3535843008-3422224897
                                                                                                                                                            • Opcode ID: 616c78d6a8ad69411164d1ad5beff506ac8c8f6faf7e435bf25fbaf00437d9bf
                                                                                                                                                            • Instruction ID: 51798a228ba79e9a90bc2b8967444383f1f6795e4152fdd50f4b51b0bb600d42
                                                                                                                                                            • Opcode Fuzzy Hash: 616c78d6a8ad69411164d1ad5beff506ac8c8f6faf7e435bf25fbaf00437d9bf
                                                                                                                                                            • Instruction Fuzzy Hash: 58810671E4061ABBDB129ED4CD46FEFBA79AB04704F100536F705BA1E0E3799E009B99
                                                                                                                                                            Function 003FE48B Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 223processCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 003FE651
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 003FE65B
                                                                                                                                                            • WaitForInputIdle.USER32(?,?), ref: 003FE6BF
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 003FE708
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 003FE71A
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandle$CreateErrorIdleInputLastProcessWait
                                                                                                                                                            • String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$d:\a\wix4\wix4\src\burn\user\approvedexe.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 1086122317-775284157
                                                                                                                                                            • Opcode ID: 85b80b032f6693ecd055f12966d8ee2501fb22c9f333e9f474835258d1af93a3
                                                                                                                                                            • Instruction ID: 3437790179c817be9ee47d13969b54a4286f12a04aecce2117b923eab67c7120
                                                                                                                                                            • Opcode Fuzzy Hash: 85b80b032f6693ecd055f12966d8ee2501fb22c9f333e9f474835258d1af93a3
                                                                                                                                                            • Instruction Fuzzy Hash: 6871BF72E4022DBBEB139F95CC46FFEBA78AF04705F100125FB04BA1A1E7719A509B95
                                                                                                                                                            Function 0043027A Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 214fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,08000080,00000000,?,?,?,?,00000000,00000000), ref: 00430334
                                                                                                                                                            • GetLastError.KERNEL32 ref: 00430342
                                                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000002,08000080,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?), ref: 004303E5
                                                                                                                                                            • GetLastError.KERNEL32 ref: 004303F3
                                                                                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,Function_0003FC40,?), ref: 004304C1
                                                                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 004304D0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseCreateErrorFileHandleLast
                                                                                                                                                            • String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to open destination file to copy payload from: '%ls' to: %ls.$Failed to open source file to copy payload from: '%ls' to: %ls.$Failed to prepare payload destination path: %ls$Failed to read from start of source file to copy payload from: '%ls' to: %ls.$copy$d:\a\wix4\wix4\src\burn\user\apply.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 2528220319-3838942140
                                                                                                                                                            • Opcode ID: a455f300e387467c449e7df2b9b1b3ba904218e878ce6b87ec9be3b8d6137563
                                                                                                                                                            • Instruction ID: 6d4314b1307d3f111e0477ebecd4217c559560f1b6e89128ac1cec7708870c0d
                                                                                                                                                            • Opcode Fuzzy Hash: a455f300e387467c449e7df2b9b1b3ba904218e878ce6b87ec9be3b8d6137563
                                                                                                                                                            • Instruction Fuzzy Hash: 92514F31A41328B7E7315A558C4AFBF3A289F49B60F11434AFE18BF2C1D66CDD0187A9
                                                                                                                                                            Function 004296F3 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 175serviceCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,00000000,?,?,?,?,?,?,?,?,?,00429D0A,?), ref: 0042972C
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00429D0A,?,?,?), ref: 0042973B
                                                                                                                                                            • OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,00429D0A,?,?,?), ref: 00429795
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00429D0A,?,?,?), ref: 004297A1
                                                                                                                                                            • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,00429D0A,?,?,?), ref: 004297E9
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00429D0A,?,?,?), ref: 004297F3
                                                                                                                                                              • Part of subcall function 004298F9: ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00429898,00000000,00000003), ref: 00429910
                                                                                                                                                              • Part of subcall function 004298F9: GetLastError.KERNEL32(?,00429898,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,00429D0A,?), ref: 0042991A
                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 004298D5
                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 004298E0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Service$ErrorLast$CloseHandleOpen$ChangeConfigManagerQueryStatus
                                                                                                                                                            • String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$d:\a\wix4\wix4\src\burn\user\msuuser.cpp$wuauserv
                                                                                                                                                            • API String ID: 2017831661-2546018573
                                                                                                                                                            • Opcode ID: 963d834391555e11f51ed6a14b0a0e2637af4a77bff26264808f0c18b999ca69
                                                                                                                                                            • Instruction ID: 656df5e79bb887ad02ce49a7ae71194d064caa7dce37e535d1e326224f07a2fe
                                                                                                                                                            • Opcode Fuzzy Hash: 963d834391555e11f51ed6a14b0a0e2637af4a77bff26264808f0c18b999ca69
                                                                                                                                                            • Instruction Fuzzy Hash: BF510A36B40334B7E721AB55AC45FEF7AA49B45B50F564026FE08BB3C1D778DC008AA8
                                                                                                                                                            Function 003F4456 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 142COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,?), ref: 003F446B
                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000001,?,?,?), ref: 003F447A
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?), ref: 003F4484
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?), ref: 003F44C9
                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,00000105,?,?,?), ref: 003F4509
                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,?,?,?,?), ref: 003F4517
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?), ref: 003F4525
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?), ref: 003F45B4
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$FileModuleName
                                                                                                                                                            • String ID: Failed to allocate space for module path.$Failed to get max length of input buffer.$Failed to get path for executing process.$Failed to get size of path for executing process.$Failed to re-allocate more space for module path.$Unexpected failure getting path for executing process.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
                                                                                                                                                            • API String ID: 1026760046-3511924
                                                                                                                                                            • Opcode ID: 3971648bbb5245c4aa48fa8721dd74285e821dfc397a7576632ef99fa3bb6c4c
                                                                                                                                                            • Instruction ID: c3ef94ce8984896c7efe9f72f6d3ad7a0ee0ae7463398722693be88b00db6771
                                                                                                                                                            • Opcode Fuzzy Hash: 3971648bbb5245c4aa48fa8721dd74285e821dfc397a7576632ef99fa3bb6c4c
                                                                                                                                                            • Instruction Fuzzy Hash: 66412972A4032D77D7122A959C4DF7F6A6CAB02711F124021FF08FF282E364CD0456A5
                                                                                                                                                            Function 004559D8 Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 254registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(003F6CF2,003F6CF2,004131C1,00000000,003F6CF2,004131C1,00000000,00000001,00000000,00020019,003F6CF2,004131C1,004131C1,00020019,00000000,003F6CF2), ref: 00455B9C
                                                                                                                                                            • RegCloseKey.ADVAPI32(003F6CF2,004131C1,004131C1,00020019,00000000,003F6CF2,00020019,004131C1,00000000,003F6CF2,-80000001,00000000,004131C1,004131C1,003F6CF2), ref: 00455C87
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,004131C1,004131C1,00020019,00000000,003F6CF2,00020019,004131C1,00000000,003F6CF2,-80000001,00000000,004131C1,004131C1,003F6CF2), ref: 00455C98
                                                                                                                                                            • RegCloseKey.ADVAPI32(004131C1,004131C1,004131C1,00020019,00000000,003F6CF2,00020019,004131C1,00000000,003F6CF2,-80000001,00000000,004131C1,004131C1,003F6CF2), ref: 00455CA9
                                                                                                                                                              • Part of subcall function 0044CC5E: RegQueryInfoKeyW.ADVAPI32(?,004071DB,003F6DEA,003F7162,003F6EDE,80000002,SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations,00020019,00000000,003F6DEA,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations2,00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager), ref: 0044CC85
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to delete the dependency "%ls"., xrefs: 00455C62
                                                                                                                                                            • Failed to delete the dependents subkey under the dependency "%ls"., xrefs: 00455BD9
                                                                                                                                                            • Failed to get the number of values under the dependency "%ls"., xrefs: 00455C09
                                                                                                                                                            • Failed to open root registry key "%ls"., xrefs: 00455A34
                                                                                                                                                            • Failed to open the registry key for the dependency "%ls"., xrefs: 00455A95
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 00455A43, 00455B49
                                                                                                                                                            • Failed to delete the dependent "%ls" under the dependency "%ls"., xrefs: 00455B3A
                                                                                                                                                            • Failed to open the dependents subkey under the dependency "%ls"., xrefs: 00455AE9
                                                                                                                                                            • Failed to get the number of dependent subkeys under the dependency "%ls"., xrefs: 00455B77
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close$InfoQuery
                                                                                                                                                            • String ID: Failed to delete the dependency "%ls".$Failed to delete the dependent "%ls" under the dependency "%ls".$Failed to delete the dependents subkey under the dependency "%ls".$Failed to get the number of dependent subkeys under the dependency "%ls".$Failed to get the number of values under the dependency "%ls".$Failed to open root registry key "%ls".$Failed to open the dependents subkey under the dependency "%ls".$Failed to open the registry key for the dependency "%ls".$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp
                                                                                                                                                            • API String ID: 852846383-1164676106
                                                                                                                                                            • Opcode ID: 9fb2625d0490cdeed2c71bbe4d3d9bc49db9b46884102580b7ab6b13d58d1be7
                                                                                                                                                            • Instruction ID: f4687dfff609385749af87dc477a07baf6c258ec426cbca67a3b47aaad5e9ca9
                                                                                                                                                            • Opcode Fuzzy Hash: 9fb2625d0490cdeed2c71bbe4d3d9bc49db9b46884102580b7ab6b13d58d1be7
                                                                                                                                                            • Instruction Fuzzy Hash: 93711931E40B25FBDB325E958CDAF7F6A649B00712F15023BBD01BB292D2788D4496D9
                                                                                                                                                            Function 0045A8DE Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 249COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F540B: GetProcessHeap.KERNEL32(?,?,?,0041DDCD,?,00000000), ref: 003F541C
                                                                                                                                                              • Part of subcall function 003F540B: RtlAllocateHeap.NTDLL(00000000,?,0041DDCD,?,00000000), ref: 003F5423
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0045AB27
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0045AB36
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0045AB45
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to allocate ATOM unknown element name., xrefs: 0045A9DF
                                                                                                                                                            • Failed get attributes on ATOM unknown element., xrefs: 0045AA59
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 0045A90C, 0045A917, 0045A92C, 0045A977
                                                                                                                                                            • Failed to enumerate all attributes on ATOM unknown element., xrefs: 0045AADE
                                                                                                                                                            • Failed to parse attribute on ATOM unknown element., xrefs: 0045AAF2
                                                                                                                                                            • Failed to get unknown element namespace., xrefs: 0045A989
                                                                                                                                                            • Failed to allocate unknown element., xrefs: 0045A91D
                                                                                                                                                            • Failed to allocate ATOM unknown element value., xrefs: 0045AA2B
                                                                                                                                                            • Failed to allocate ATOM unknown element namespace., xrefs: 0045A968
                                                                                                                                                            • Failed to get unknown element value., xrefs: 0045AA03
                                                                                                                                                            • Failed to get unknown element name., xrefs: 0045A9BA
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeString$Heap$AllocateProcess
                                                                                                                                                            • String ID: Failed get attributes on ATOM unknown element.$Failed to allocate ATOM unknown element name.$Failed to allocate ATOM unknown element namespace.$Failed to allocate ATOM unknown element value.$Failed to allocate unknown element.$Failed to enumerate all attributes on ATOM unknown element.$Failed to get unknown element name.$Failed to get unknown element namespace.$Failed to get unknown element value.$Failed to parse attribute on ATOM unknown element.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp
                                                                                                                                                            • API String ID: 2724874077-2936770743
                                                                                                                                                            • Opcode ID: 388c812b37b86c7156386d337551c499372ec052202961b85129872c2805b2ff
                                                                                                                                                            • Instruction ID: 2ae853349ff08d636292abbd3bc9f8250901cc23d269414bb5ae3b565ac4280d
                                                                                                                                                            • Opcode Fuzzy Hash: 388c812b37b86c7156386d337551c499372ec052202961b85129872c2805b2ff
                                                                                                                                                            • Instruction Fuzzy Hash: 06812571740315BBDB15DB10CC09F6E7779AF80B06F11005AFA01AB2D2EBB4AE05CB5A
                                                                                                                                                            Function 003FD84A Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 173COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,003F6570,?,?,003FE2FF,feclient.dll,?,00000000,00000000,?,?,?,003F6C5C,00000000), ref: 003FD854
                                                                                                                                                            • GetLastError.KERNEL32(?,?,003FE2FF,feclient.dll,?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 003FD860
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorHandleLastModule
                                                                                                                                                            • String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$clbcatq.dll$d:\a\wix4\wix4\src\burn\user\section.cpp
                                                                                                                                                            • API String ID: 4242514867-3704064587
                                                                                                                                                            • Opcode ID: 20a3b5564a2d2bf8c7be2881c05ab08331526ac95cfd4a6196a37e0dc4a6234c
                                                                                                                                                            • Instruction ID: b60865f5618107cd7b60c345ecd48f5f37e1ca325ec64118e347ff2d2bf69f74
                                                                                                                                                            • Opcode Fuzzy Hash: 20a3b5564a2d2bf8c7be2881c05ab08331526ac95cfd4a6196a37e0dc4a6234c
                                                                                                                                                            • Instruction Fuzzy Hash: 0D516831740358B7E7234A858C4AFBBE5699B15B25F21802AF7086F2C1E6E9DD01C6AD
                                                                                                                                                            Function 0041D137 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 160COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 0045699C: FindResourceExA.KERNEL32(?,0000000A,?,00000000), ref: 004569AD
                                                                                                                                                              • Part of subcall function 0045699C: GetLastError.KERNEL32(?,0041D16B,?,00000001,?,?), ref: 004569B9
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000001,?,?), ref: 0041D2CD
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?), ref: 0041D2E2
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandle$ErrorFindLastResource
                                                                                                                                                            • String ID: Failed to create UI thread.$Failed to create modal event.$Failed to load splash screen configuration.$Failed to read splash screen configuration resource.$Invalid splash screen type: %i$d:\a\wix4\wix4\src\burn\user\splashscreen.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 3960716503-2908546889
                                                                                                                                                            • Opcode ID: 70efdd79d8bee8a8d1940b0cc6814687a5257f77a99032b22bbd923437c99412
                                                                                                                                                            • Instruction ID: f38d11cc77bc00701305d378fe9152368baacf9db66c753a3d008d6e55688f05
                                                                                                                                                            • Opcode Fuzzy Hash: 70efdd79d8bee8a8d1940b0cc6814687a5257f77a99032b22bbd923437c99412
                                                                                                                                                            • Instruction Fuzzy Hash: 2E41F5B5D40709BBE7119F959C45FEFB7BCAB44701F10406AFB14BA2C0E6B8CA408A69
                                                                                                                                                            Function 0040F013 Relevance: 23.1, APIs: 2, Strings: 11, Instructions: 385COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003FA8A3: EnterCriticalSection.KERNEL32(003F7D5B,WixBundleOriginalSource,?,?,0040F8B4,8D4BE800,WixBundleOriginalSource,?,00000001,00000081,003F7D5B,?,00000001,003F7DDB,?,?), ref: 003FA8AF
                                                                                                                                                              • Part of subcall function 003FA8A3: LeaveCriticalSection.KERNEL32(003F7D5B,003F7D5B,00000000,00000000,?,?,0040F8B4,8D4BE800,WixBundleOriginalSource,?,00000001,00000081,003F7D5B,?,00000001,003F7DDB), ref: 003FA934
                                                                                                                                                            • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,WixBundleLastUsedSource,?), ref: 0040F087
                                                                                                                                                            • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,WixBundleLastUsedSource,?), ref: 0040F0A4
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareCriticalSectionString$EnterLeave
                                                                                                                                                            • String ID: Failed to combine last source with relative.$Failed to combine last source with source.$Failed to combine layout source with relative.$Failed to combine layout source with source.$Failed to combine source process folder with relative.$Failed to combine source process folder with source.$Failed to copy absolute source path.$Failed to ensure size for search paths array.$WixBundleLastUsedSource$WixBundleOriginalSourceFolder$d:\a\wix4\wix4\src\burn\user\cache.cpp
                                                                                                                                                            • API String ID: 1408779843-2177830281
                                                                                                                                                            • Opcode ID: 8543920f820584d369b4e1e0e9601d8405208ac29469d7fc60690c1601f7fb1b
                                                                                                                                                            • Instruction ID: ebc8108b18f3815dffa360b6cf0d0e00f4d5ebb0d3d83b0513115c6dcf784dc9
                                                                                                                                                            • Opcode Fuzzy Hash: 8543920f820584d369b4e1e0e9601d8405208ac29469d7fc60690c1601f7fb1b
                                                                                                                                                            • Instruction Fuzzy Hash: 42D18671A40719BBDF21CE90CC45FAE7BA5AB08710F110176FA04BE6C1D7B8AD44CB9A
                                                                                                                                                            Function 004356C2 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 241COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to copy local source path for pseudo bundle., xrefs: 004357DC
                                                                                                                                                            • Failed to copy download source for pseudo bundle., xrefs: 00435812
                                                                                                                                                            • Failed to allocate memory for update bundle payload hash., xrefs: 004358AC
                                                                                                                                                            • Failed to copy id for update bundle., xrefs: 00435917
                                                                                                                                                            • Failed to allocate space for burn payload inside of update bundle struct, xrefs: 0043573E
                                                                                                                                                            • Failed to copy install arguments for update bundle package, xrefs: 0043596A
                                                                                                                                                            • Failed to allocate space for burn payload group inside of update bundle struct, xrefs: 004356FA
                                                                                                                                                            • Failed to copy filename for pseudo bundle., xrefs: 004357B1
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\pseudobundle.cpp, xrefs: 004356E7, 004356F2, 0043570C, 0043572B, 00435736, 0043586E, 00435899, 004358A4, 0043597C
                                                                                                                                                            • Failed to decode hash string: %ls., xrefs: 0043585C
                                                                                                                                                            • Failed to copy cache id for update bundle., xrefs: 00435940
                                                                                                                                                            • Failed to copy key for pseudo bundle payload., xrefs: 00435786
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                            • String ID: Failed to allocate memory for update bundle payload hash.$Failed to allocate space for burn payload group inside of update bundle struct$Failed to allocate space for burn payload inside of update bundle struct$Failed to copy cache id for update bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy id for update bundle.$Failed to copy install arguments for update bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy local source path for pseudo bundle.$Failed to decode hash string: %ls.$d:\a\wix4\wix4\src\burn\user\pseudobundle.cpp
                                                                                                                                                            • API String ID: 1357844191-2400517205
                                                                                                                                                            • Opcode ID: 0a101ffd626180a9487b898db513f8a272cc7bd8b138af0f986a2772df819b01
                                                                                                                                                            • Instruction ID: 9505d52bca273c3e4f8a5da5f4e8d671260056bac8c264b95e60bb020197bfe1
                                                                                                                                                            • Opcode Fuzzy Hash: 0a101ffd626180a9487b898db513f8a272cc7bd8b138af0f986a2772df819b01
                                                                                                                                                            • Instruction Fuzzy Hash: 78717771740B15FBE7229E658C46FEB7A98EF48B50F114116FA08BF2C1E7B4D8108B95
                                                                                                                                                            Function 0044BB29 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 143COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • OpenProcessToken.ADVAPI32(0045639A,00000008,00000000,00000000,00000000,?,?,?,0044BECF,0045639A,00000001,00000000,00000000,00000000), ref: 0044BB41
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,0044BECF,0045639A,00000001,00000000,00000000,00000000,?,?,0045639A), ref: 0044BB4B
                                                                                                                                                            • GetTokenInformation.ADVAPI32(00000000,?,00000000,00000000,0045639A,?,?,?,0044BECF,0045639A,00000001,00000000,00000000,00000000), ref: 0044BB9D
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,0044BECF,0045639A,00000001,00000000,00000000,00000000,?,?,0045639A), ref: 0044BBA7
                                                                                                                                                            • GetTokenInformation.ADVAPI32(00000000,?,00000000,0045639A,0045639A,0045639A,00000001,00000000,?,?,?,0044BECF,0045639A,00000001,00000000,00000000), ref: 0044BC33
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,0044BECF,0045639A,00000001,00000000,00000000,00000000,?,?,0045639A), ref: 0044BC3D
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,0044BECF,0045639A,00000001,00000000,00000000,00000000,?,?,0045639A), ref: 0044BCA1
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastToken$Information$CloseHandleOpenProcess
                                                                                                                                                            • String ID: Failed to allocate token information.$Failed to get information from process token size.$Failed to get information from process token.$Failed to open process token.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 3038379890-2593115262
                                                                                                                                                            • Opcode ID: fc93c0fe278d27e957f65ba3d87567407a837b63566a902b4526a5108ce641d2
                                                                                                                                                            • Instruction ID: 51f90f4d3eb148655e4ea0cff6acc2e2d8f256e1f0f4f900ce6ddb1976b02823
                                                                                                                                                            • Opcode Fuzzy Hash: fc93c0fe278d27e957f65ba3d87567407a837b63566a902b4526a5108ce641d2
                                                                                                                                                            • Instruction Fuzzy Hash: 6341F936A41224B7F7215B959C8AFBF696CDB00B50F01441BFE04BE291E76CDE0196E8
                                                                                                                                                            Function 004070DA Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 111registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 0044CAFE: RegCloseKey.ADVAPI32(00000000,00000000,00000000,00020019,00000000,00000000,00000000,?,?,00407102,80000002,SOFTWARE\Microsoft\ServerManager,CurrentRebootAttempts,00000000,003F6EDE,00000000), ref: 0044CB9B
                                                                                                                                                            • RegCloseKey.ADVAPI32(003F6DEA,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending,00000000,00000000,80000002,SOFTWARE\Microsoft\Updates,UpdateExeVolatile,00000000,003F6EDE,80000002,SOFTWARE\Microsoft\ServerManager,CurrentRebootAttempts,00000000,003F6EDE,00000000), ref: 004071F8
                                                                                                                                                            Strings
                                                                                                                                                            • SOFTWARE\Microsoft\Updates, xrefs: 00407119
                                                                                                                                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending, xrefs: 00407133
                                                                                                                                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update, xrefs: 00407169
                                                                                                                                                            • PendingFileRenameOperations2, xrefs: 00407196
                                                                                                                                                            • CurrentRebootAttempts, xrefs: 004070EA
                                                                                                                                                            • PendingFileRenameOperations, xrefs: 0040717F
                                                                                                                                                            • AUState, xrefs: 00407164
                                                                                                                                                            • UpdateExeVolatile, xrefs: 00407114
                                                                                                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 004071B6
                                                                                                                                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootInProgress, xrefs: 0040714A
                                                                                                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00407184, 0040719B
                                                                                                                                                            • SOFTWARE\Microsoft\ServerManager, xrefs: 004070EF
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: AUState$CurrentRebootAttempts$PendingFileRenameOperations$PendingFileRenameOperations2$SOFTWARE\Microsoft\ServerManager$SOFTWARE\Microsoft\Updates$SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootInProgress$SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update$SYSTEM\CurrentControlSet\Control\Session Manager$SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations$UpdateExeVolatile
                                                                                                                                                            • API String ID: 3535843008-3032311648
                                                                                                                                                            • Opcode ID: e1d666a334e6c9150efe57125771cb29d3bb4070669d6d04bf46f4e7432a7ab0
                                                                                                                                                            • Instruction ID: 3b5c51f48568e0066c96381a20e58afb05df65fd26c98c2e27d8bb0fee47a9e1
                                                                                                                                                            • Opcode Fuzzy Hash: e1d666a334e6c9150efe57125771cb29d3bb4070669d6d04bf46f4e7432a7ab0
                                                                                                                                                            • Instruction Fuzzy Hash: 92318671D44359B7DB31A6624C45E5F6A7CDA84B44B21026BBC00B62C2EA7CFE00D6AE
                                                                                                                                                            Function 00416971 Relevance: 22.8, APIs: 3, Strings: 10, Instructions: 94COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcessId.KERNEL32(003F73DE,00000000,003F6CF2,2000000A,2000000A,?,0041B226,003F6CF2,?,003F73DE,00000001,003F73DE,003F73E2,003F6DA2,003F6CF2,00000000), ref: 00416979
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,003F6CF2,00000000,00000000), ref: 00416A82
                                                                                                                                                              • Part of subcall function 00452587: ShellExecuteExW.SHELL32 ref: 00452603
                                                                                                                                                              • Part of subcall function 00452587: GetLastError.KERNEL32 ref: 00452609
                                                                                                                                                              • Part of subcall function 00452587: CloseHandle.KERNEL32(?), ref: 00452659
                                                                                                                                                            • GetProcessId.KERNEL32(00000000,0154B7FF,003F6CF2,runas,00000000,00000008,?,00000000,00000000,000000B0,?,?,003F6CF2,00000000,00000000), ref: 00416A62
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandleProcess$CurrentErrorExecuteLastShell
                                                                                                                                                            • String ID: -%ls=%ls$-q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$Failed to set log mode in elevated process command-line.$burn.elevated$burn.log.mode$d:\a\wix4\wix4\src\burn\user\elevation.cpp$runas$.#v@1#v
                                                                                                                                                            • API String ID: 163010291-3294405924
                                                                                                                                                            • Opcode ID: 773e71c0c2320a5a3ebf72ad78aba89333dd22ec5bf6f4316b074efb91bc8547
                                                                                                                                                            • Instruction ID: 583a8da32e1b95d843395955ee8744e3730b6aec476818c310576753c0c3ddef
                                                                                                                                                            • Opcode Fuzzy Hash: 773e71c0c2320a5a3ebf72ad78aba89333dd22ec5bf6f4316b074efb91bc8547
                                                                                                                                                            • Instruction Fuzzy Hash: 9A312D71E81309FBDB119B90CC46FEEBA74EF01740F214167FA08B6181D7B59E609B99
                                                                                                                                                            Function 00419734 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 233COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF), ref: 004198F9
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareString
                                                                                                                                                            • String ID: Failed to execute compatible MSI package.$Failed to find package: %ls$Failed to read MSI compatible package id.$Failed to read MSI package id.$Failed to read package log.$Failed to read parent hwnd.$Failed to read rollback flag.$Failed to read variables.$Package '%ls' has no compatible MSI package$Package '%ls' has no compatible package with id: %ls$d:\a\wix4\wix4\src\burn\user\elevation.cpp
                                                                                                                                                            • API String ID: 1825529933-1833463798
                                                                                                                                                            • Opcode ID: 3803af9a5fb93b61223c1be3306c9a6922c24e259ac7480f376befe684081d41
                                                                                                                                                            • Instruction ID: eb6887d0599e85ff3f9828fda815e287650adb311b6461c8de2a693927ad5d9b
                                                                                                                                                            • Opcode Fuzzy Hash: 3803af9a5fb93b61223c1be3306c9a6922c24e259ac7480f376befe684081d41
                                                                                                                                                            • Instruction Fuzzy Hash: E971CB71A40259BAEB22DED1CC46FEF7A7CDF04B10F10411BF604BA2C1D6789E409BA9
                                                                                                                                                            Function 0045B60C Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 191COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F540B: GetProcessHeap.KERNEL32(?,?,?,0041DDCD,?,00000000), ref: 003F541C
                                                                                                                                                              • Part of subcall function 003F540B: RtlAllocateHeap.NTDLL(00000000,?,0041DDCD,?,00000000), ref: 003F5423
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000000,?,?,?,0042E3CA,?), ref: 0045B63B
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,?,0042E3CA,?,003F6DA2,00000000,?,003F6DA2,00000000), ref: 0045B656
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to allocate default application type., xrefs: 0045B707
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apuputil.cpp, xrefs: 0045B6ED, 0045B721, 0045B7BD
                                                                                                                                                            • http://appsyndication.org/2006/appsyn, xrefs: 0045B62E
                                                                                                                                                            • application, xrefs: 0045B648
                                                                                                                                                            • Failed to reallocate memory for update entries., xrefs: 0045B7C9
                                                                                                                                                            • Failed to process ATOM entry., xrefs: 0045B7DA
                                                                                                                                                            • Failed to allocate default application id., xrefs: 0045B715
                                                                                                                                                            • Failed to allocate memory for update entries., xrefs: 0045B6F9
                                                                                                                                                            • type, xrefs: 0045B67D
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareHeapString$AllocateProcess
                                                                                                                                                            • String ID: Failed to allocate default application id.$Failed to allocate default application type.$Failed to allocate memory for update entries.$Failed to process ATOM entry.$Failed to reallocate memory for update entries.$application$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apuputil.cpp$http://appsyndication.org/2006/appsyn$type
                                                                                                                                                            • API String ID: 2664528157-2947066191
                                                                                                                                                            • Opcode ID: 874d5dfe371b1612a679acf7962232fad2b4bd23a9330bd15badb804902f56cb
                                                                                                                                                            • Instruction ID: ba9d3f977b5efbd8ac7b69c257787ee00760c8aa15c8b5e2ebcf1d8882b939b8
                                                                                                                                                            • Opcode Fuzzy Hash: 874d5dfe371b1612a679acf7962232fad2b4bd23a9330bd15badb804902f56cb
                                                                                                                                                            • Instruction Fuzzy Hash: 7C51FB30740705BBDB21AB55CC86F2B77A5EB44B12F30851AFE15AF2D2DBB8D9048B58
                                                                                                                                                            Function 004585DB Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 183fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32 ref: 00458654
                                                                                                                                                              • Part of subcall function 0045666D: RegCloseKey.ADVAPI32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 00456717
                                                                                                                                                            • DeleteFileW.KERNEL32(00000000,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 00458791
                                                                                                                                                            • CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 004587A0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close$DeleteErrorFileHandleLast
                                                                                                                                                            • String ID: Burn$DownloadTimeout$Failed to copy download source URL.$Failed to download URL: %ls$Failed to open internet session$Ignoring failure to get size and time for URL: %ls (error 0x%x)$WiX\Burn$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 3163412224-1948151457
                                                                                                                                                            • Opcode ID: 5c2096432a8b654f811d782133bdc4d0e60738697f533065d5142d28d9c9a402
                                                                                                                                                            • Instruction ID: c8112388fe5a142a46d18461908ee66402b09c5393d4464cb58d07713d662bcc
                                                                                                                                                            • Opcode Fuzzy Hash: 5c2096432a8b654f811d782133bdc4d0e60738697f533065d5142d28d9c9a402
                                                                                                                                                            • Instruction Fuzzy Hash: DB517F72940219BFDB119FA4DC45FAF7B78EB08701F10446AFB04F6192EB748A149B65
                                                                                                                                                            Function 0040E314 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 137fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000), ref: 0040E331
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040E341
                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040E48D
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseCreateErrorFileHandleLast
                                                                                                                                                            • String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$Payload has no verification information: %ls$d:\a\wix4\wix4\src\burn\user\cache.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 2528220319-573069832
                                                                                                                                                            • Opcode ID: edb29ea9a91f0f83fe3c536acb162fe8ddfceb1f34b8692f83b16283a8bb1ffe
                                                                                                                                                            • Instruction ID: a0555629939d995e2b7b0cfef53e2b547541942e1f20c984ae832fc221ab99a4
                                                                                                                                                            • Opcode Fuzzy Hash: edb29ea9a91f0f83fe3c536acb162fe8ddfceb1f34b8692f83b16283a8bb1ffe
                                                                                                                                                            • Instruction Fuzzy Hash: 6241BC32640215BBDB125E559C4AFAF3E29EB49B10F144525FF047A1D1D3B9C8309BA9
                                                                                                                                                            Function 003F6A25 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 120sleepshutdownCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcess.KERNEL32(SeShutdownPrivilege,?,00000000,00000001,A0000005,?,003F8015,?,?,?,?,?,?), ref: 003F6A39
                                                                                                                                                              • Part of subcall function 0044B884: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0044B8BC
                                                                                                                                                              • Part of subcall function 0044B884: GetLastError.KERNEL32 ref: 0044B8C6
                                                                                                                                                              • Part of subcall function 0044B884: CloseHandle.KERNEL32(00000000), ref: 0044B9DD
                                                                                                                                                            • Sleep.KERNEL32(000003E8,?,00000001,00000000,?,003F8015,?,?,?,?,?,?), ref: 003F6A8C
                                                                                                                                                            • InitiateSystemShutdownExW.ADVAPI32(?,003F8015,?,?,?,?), ref: 003F6AAB
                                                                                                                                                            • GetLastError.KERNEL32(?,003F8015,?,?,?,?,?,?), ref: 003F6AB1
                                                                                                                                                              • Part of subcall function 004160F9: EnterCriticalSection.KERNEL32(?,00000000,00000000,?,003F6A7F,?,00000001,00000000,?,003F8015,?,?,?,?,?,?), ref: 00416108
                                                                                                                                                              • Part of subcall function 004160F9: LeaveCriticalSection.KERNEL32(?,?,003F6A7F,?,00000001,00000000,?,003F8015,?,?,?,?,?,?), ref: 00416129
                                                                                                                                                            • IsWindow.USER32(?), ref: 003F6B21
                                                                                                                                                            • Sleep.KERNEL32(000000FA,?,003F8015,?,?,?,?,?,?), ref: 003F6B3B
                                                                                                                                                            • Sleep.KERNEL32(000000FA,?,003F8015,?,?,?,?,?,?), ref: 003F6B70
                                                                                                                                                            • IsWindow.USER32(?), ref: 003F6B7C
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Sleep$CriticalErrorLastSectionWindow$CloseCurrentEnterHandleInitiateLeaveLookupPrivilegeProcessShutdownSystemValue
                                                                                                                                                            • String ID: Failed to enable shutdown privilege in process token.$Failed to schedule restart.$SeShutdownPrivilege$d:\a\wix4\wix4\src\burn\user\user.cpp
                                                                                                                                                            • API String ID: 2197606043-2157809017
                                                                                                                                                            • Opcode ID: fceb7798730b1270c20ec8128f55e81b6a06262de7ab69b27f647d7e33ce3370
                                                                                                                                                            • Instruction ID: 28601bbda9d71a39764b8cf54a4cd164fe90204d3b29449f8d78b1a7fe02b28e
                                                                                                                                                            • Opcode Fuzzy Hash: fceb7798730b1270c20ec8128f55e81b6a06262de7ab69b27f647d7e33ce3370
                                                                                                                                                            • Instruction Fuzzy Hash: B43179B1640318BBEB129B669C8BF7A361CEB44B51F154035FB09EB182EA74CD0186A8
                                                                                                                                                            Function 0041D72B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 111threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SetProcessShutdownParameters.KERNEL32(000003FF,00000000,?,00000000,?,?,?,?,00000000,00000001), ref: 0041D74C
                                                                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0041D757
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041D764
                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0041D370,?,00000000,00000000), ref: 0041D7CC
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041D7D9
                                                                                                                                                            • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 0041D81F
                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041D838
                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0041D849
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsParametersProcessShutdownThreadWait
                                                                                                                                                            • String ID: Failed to create initialization event.$Failed to create the UI thread.$d:\a\wix4\wix4\src\burn\user\uithread.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 665835008-3121774425
                                                                                                                                                            • Opcode ID: 653a3a2ddd5aee5d677fcee707d9806c3a86bf35ae28c403c48b88a27257e671
                                                                                                                                                            • Instruction ID: 255907217a1bec020c8dc8b19696fa5c9ca826c6337f346f13b7687e8ca000fc
                                                                                                                                                            • Opcode Fuzzy Hash: 653a3a2ddd5aee5d677fcee707d9806c3a86bf35ae28c403c48b88a27257e671
                                                                                                                                                            • Instruction Fuzzy Hash: E2310AB6D00329BBD7119F998C89FEFBA7CAB04751F104066F914F7281D274DE408AA9
                                                                                                                                                            Function 003FA2EB Relevance: 19.8, APIs: 2, Strings: 11, Instructions: 293COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,00000024,00000001,00000001,00000000,?,000000F8,00000001,00000000,000000F8,00000024,?,00000000,?), ref: 003FA317
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 003FA61A
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variable.cpp, xrefs: 003FA60A
                                                                                                                                                            • Failed to set variable value., xrefs: 003FA508, 003FA569, 003FA594
                                                                                                                                                            • Failed to read variable value as number., xrefs: 003FA580
                                                                                                                                                            • Failed to read variable value as string., xrefs: 003FA536, 003FA5A8
                                                                                                                                                            • Failed to read variable included flag., xrefs: 003FA5F8
                                                                                                                                                            • Failed to read variable name., xrefs: 003FA5E4
                                                                                                                                                            • Failed to parse variable value as version., xrefs: 003FA51F
                                                                                                                                                            • Unsupported variable type., xrefs: 003FA54D
                                                                                                                                                            • Failed to set variable., xrefs: 003FA5BC
                                                                                                                                                            • Failed to read variable count., xrefs: 003FA337
                                                                                                                                                            • Failed to read variable value type., xrefs: 003FA5D0
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                            • String ID: Failed to parse variable value as version.$Failed to read variable count.$Failed to read variable included flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 3168844106-1722372363
                                                                                                                                                            • Opcode ID: 4a188f8b2edc1b3aeff77c76fb13bb6ecf2887882088a88e632ddbffb4de300f
                                                                                                                                                            • Instruction ID: 8bbe8443f7cfa78fd94b4b25c8b2411c4a69b0b06fb67b06bb3d002a3ed6a42f
                                                                                                                                                            • Opcode Fuzzy Hash: 4a188f8b2edc1b3aeff77c76fb13bb6ecf2887882088a88e632ddbffb4de300f
                                                                                                                                                            • Instruction Fuzzy Hash: 5E91D771D40B1DBAEB139A50CC4AFFF7A68EB04B54F150116BB08BA1D0E7F49E409A66
                                                                                                                                                            Function 0042FC40 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 327COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: __aulldiv
                                                                                                                                                            • String ID: BA aborted acquire of %hs: %ls$BA aborted container or payload verify: %ls$BA aborted extract container: %ls, payload: %ls$BA aborted finalize step during verify of %hs: %ls$BA aborted hash step during verify of %hs: %ls$BA aborted payload verify step during verify of %hs: %ls$BA aborted stage step during verify of %hs: %ls$container$d:\a\wix4\wix4\src\burn\user\apply.cpp$payload
                                                                                                                                                            • API String ID: 3732870572-4228037252
                                                                                                                                                            • Opcode ID: 1ca48ae7c58a9cb4a5922809f3ea9f655444e98aff57330ebd13e4bf2972d1f8
                                                                                                                                                            • Instruction ID: 4fe3fdea6da5360582358543e39a5a0659bd4fc0390ac5501c4b50a9a417263a
                                                                                                                                                            • Opcode Fuzzy Hash: 1ca48ae7c58a9cb4a5922809f3ea9f655444e98aff57330ebd13e4bf2972d1f8
                                                                                                                                                            • Instruction Fuzzy Hash: 09B1C072700229BBEB128E44DD45EAF7F79EB09750F818036FA04AB291C338DD51DBA5
                                                                                                                                                            Function 0044C5BE Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 204registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000), ref: 0044C811
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Failed to concatenate paths while recursively deleting subkeys. Path1: %ls, Path2: %ls$Failed to delete registry key (ex).$Failed to delete registry key.$Failed to enumerate key 0$Failed to open this key for enumerating subkeys: %ls$Failed to recursively delete subkey: %ls$RegInitialize must be called first in order to RegDelete() a key with non-default bit attributes!$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 3535843008-329788176
                                                                                                                                                            • Opcode ID: 4efc51e5aeb4ab5b57894251ff044bf54055c9b1800545e93901827580babe47
                                                                                                                                                            • Instruction ID: fe6e2f57c5c5cd9267f7d3e470297102b88f38448003dd331c91d59642166147
                                                                                                                                                            • Opcode Fuzzy Hash: 4efc51e5aeb4ab5b57894251ff044bf54055c9b1800545e93901827580babe47
                                                                                                                                                            • Instruction Fuzzy Hash: 8C513C36D42229B7FB7169518DCAF6F7A649B04B11F1A4067FE007B290D7BC0D409ADD
                                                                                                                                                            Function 003F774C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 188COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CloseHandle.KERNEL32(68056A00,?,00000000,?,003F80B3,?,?,?,?), ref: 003F7792
                                                                                                                                                            • CloseHandle.KERNEL32(00010068,?,00000000,?,003F80B3,?,?,?,?), ref: 003F77A9
                                                                                                                                                            • DeleteCriticalSection.KERNEL32(003F876B,?,00000000,?,003F80B3,?,?,?,?), ref: 003F77BC
                                                                                                                                                            • CloseHandle.KERNEL32(5468FFFF,?,003F80B3,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003F77CF
                                                                                                                                                            • CloseHandle.KERNEL32(53004625,?,003F80B3,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003F77E6
                                                                                                                                                            • CloseHandle.KERNEL32(E850C094,003F879F,003F87BB,?,003F80B3,?,?,?,?), ref: 003F7825
                                                                                                                                                            • DeleteCriticalSection.KERNEL32(003F817F,003F84EF,003F879F,003F87BB,?,003F80B3,?,?,?,?), ref: 003F7844
                                                                                                                                                              • Part of subcall function 00449966: LocalFree.KERNEL32(003F7FB7,?,003F7764,d:\a\wix4\wix4\src\burn\user\variable.cpp,?,00000000,?,003F80B3,?,?,?,?), ref: 00449970
                                                                                                                                                            • DeleteCriticalSection.KERNEL32(003F87D7,003F828B,003F80F3,003F829F,003F8293,003F81AB,0'F,003F8133,003F82C3,003F84D3,003F843B,003F8163,?,003F80B3,?,?), ref: 003F79B6
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandle$CriticalDeleteSection$FreeLocal
                                                                                                                                                            • String ID: 0'F$d:\a\wix4\wix4\src\burn\user\variable.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 352808245-1187968033
                                                                                                                                                            • Opcode ID: 01d2591d91db863da3c735447c49e8796dbfedd6ff47917290e2c18b497a07fe
                                                                                                                                                            • Instruction ID: 4f73133df83fc5725e3862242a208f74d099d17e127cfd71a6d8bd0828831575
                                                                                                                                                            • Opcode Fuzzy Hash: 01d2591d91db863da3c735447c49e8796dbfedd6ff47917290e2c18b497a07fe
                                                                                                                                                            • Instruction Fuzzy Hash: E7612071A04B09ABCA21EB75C889EABB3EDAF44740F440C2DB65AD7155DF38F514CB24
                                                                                                                                                            Function 004000E7 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 179libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • LoadLibraryExW.KERNEL32(0045E7C0,00000000,00000008,?,BundleExtensionData.xml,00000001,?,00000000,?), ref: 004001D1
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,BundleExtensionCreate), ref: 004001E8
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                                            • String ID: BundleExtensionCreate$BundleExtensionData.xml$Failed to create BundleExtension '%ls'.$Failed to get BundleExtensionCreate entry-point '%ls'.$Failed to get BundleExtensionDataPath.$Failed to load BundleExtension DLL '%ls': '%ls'.$d:\a\wix4\wix4\src\burn\user\burnextension.cpp
                                                                                                                                                            • API String ID: 2574300362-134146731
                                                                                                                                                            • Opcode ID: 861f9165f56539a6c03d07f83cc3fe8fe10f02e09cf4f4335fe9e7a2ca5639da
                                                                                                                                                            • Instruction ID: 00f29a67bcd7d0d232b745841042ff1fb145d9f8fb0bed2976f86b29e589130f
                                                                                                                                                            • Opcode Fuzzy Hash: 861f9165f56539a6c03d07f83cc3fe8fe10f02e09cf4f4335fe9e7a2ca5639da
                                                                                                                                                            • Instruction Fuzzy Hash: E0519F71D41228EBDB12DF99CC89BAEBBB4AF48710F1140A6F904BB291E7749D40CB95
                                                                                                                                                            Function 00401295 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 169registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,003F6DEA,00000000,C95B5EC6,00000000,00000000,00000000,54B7FF10,003F6DEA,00000001,00000001,003F6CF2,00000000,8D000001,003F6DEA), ref: 00401472
                                                                                                                                                            Strings
                                                                                                                                                            • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 004013F8
                                                                                                                                                            • Failed to query registry key value., xrefs: 004013DD
                                                                                                                                                            • Registry key not found. Key = '%ls', xrefs: 00401346
                                                                                                                                                            • Failed to format key string., xrefs: 004012C5
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\search.cpp, xrefs: 0040132D, 004013D2, 004013D7, 004013EF, 00401436
                                                                                                                                                            • RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 0040144A
                                                                                                                                                            • Failed to format value string., xrefs: 0040137B
                                                                                                                                                            • Failed to set variable., xrefs: 00401424
                                                                                                                                                            • Failed to open registry key. Key = '%ls', xrefs: 0040131B
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$d:\a\wix4\wix4\src\burn\user\search.cpp
                                                                                                                                                            • API String ID: 3535843008-2242727714
                                                                                                                                                            • Opcode ID: cf3beae9950009ba5dd5a48a9e75fde3342363a6ebb1ad9bb1c05fe1626a7318
                                                                                                                                                            • Instruction ID: c69a29c169d5dbf986df2670aa53a6ba713528b55999d6c0f854b71cea504afb
                                                                                                                                                            • Opcode Fuzzy Hash: cf3beae9950009ba5dd5a48a9e75fde3342363a6ebb1ad9bb1c05fe1626a7318
                                                                                                                                                            • Instruction Fuzzy Hash: 0C51FD71A40629BBEB125E90CC47F7BBA28EF04B10F114136FF05795F1E3B99E10969A
                                                                                                                                                            Function 0041CC37 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 157windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • IsWindow.USER32(?), ref: 0041CC5D
                                                                                                                                                            • LoadBitmapW.USER32(?,?), ref: 0041CC84
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041CC90
                                                                                                                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 0041CCD1
                                                                                                                                                            • GetCursorPos.USER32(?), ref: 0041CCED
                                                                                                                                                            • CreateWindowExW.USER32(00000080,WixBurnSplashScreen,?,90000000,80000000,80000000,?,?,00000000,00000000,?,?), ref: 0041CD85
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041CD92
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastWindow$BitmapCreateCursorLoadObject
                                                                                                                                                            • String ID: Failed to create window.$Failed to load splash screen bitmap.$WixBurnSplashScreen$d:\a\wix4\wix4\src\burn\user\splashscreen.cpp
                                                                                                                                                            • API String ID: 1087062382-1388761367
                                                                                                                                                            • Opcode ID: 7da2e6963e3d2290cb8dff69714dd73a5ad5ef96160b770e9150a0d523e289dd
                                                                                                                                                            • Instruction ID: 1180fe6faf1aeec26d9f394368e035a637f92bdf26fc6e7e7704c9610361c4c7
                                                                                                                                                            • Opcode Fuzzy Hash: 7da2e6963e3d2290cb8dff69714dd73a5ad5ef96160b770e9150a0d523e289dd
                                                                                                                                                            • Instruction Fuzzy Hash: B2518172940215AFD710CFA9DC85AAABBB8FF08700F10816AF908EB241D734ED51CBA4
                                                                                                                                                            Function 0045A73B Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 153COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F540B: GetProcessHeap.KERNEL32(?,?,?,0041DDCD,?,00000000), ref: 003F541C
                                                                                                                                                              • Part of subcall function 003F540B: RtlAllocateHeap.NTDLL(00000000,?,0041DDCD,?,00000000), ref: 003F5423
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0045A8B1
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0045A8C0
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0045A8CF
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 0045A763, 0045A76E, 0045A783, 0045A7CE
                                                                                                                                                            • Failed to get unknown attribute namespace., xrefs: 0045A7E0
                                                                                                                                                            • Failed to allocate unknown attribute., xrefs: 0045A774
                                                                                                                                                            • Failed to get unknown attribute value., xrefs: 0045A854
                                                                                                                                                            • Failed to allocate ATOM unknown attribute namespace., xrefs: 0045A7BF
                                                                                                                                                            • Failed to allocate ATOM unknown attribute name., xrefs: 0045A833
                                                                                                                                                            • Failed to allocate ATOM unknown attribute value., xrefs: 0045A87C
                                                                                                                                                            • Failed to get unknown attribute name., xrefs: 0045A80E
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeString$Heap$AllocateProcess
                                                                                                                                                            • String ID: Failed to allocate ATOM unknown attribute name.$Failed to allocate ATOM unknown attribute namespace.$Failed to allocate ATOM unknown attribute value.$Failed to allocate unknown attribute.$Failed to get unknown attribute name.$Failed to get unknown attribute namespace.$Failed to get unknown attribute value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp
                                                                                                                                                            • API String ID: 2724874077-797782994
                                                                                                                                                            • Opcode ID: 57135f669719c9b212fc5bd504e9e8b15e9a999fef9495e265dac58a4a706975
                                                                                                                                                            • Instruction ID: e74a83f3305fac1766f74b0869480b02bfb630e70e8d8edc2413700f42a10d85
                                                                                                                                                            • Opcode Fuzzy Hash: 57135f669719c9b212fc5bd504e9e8b15e9a999fef9495e265dac58a4a706975
                                                                                                                                                            • Instruction Fuzzy Hash: C9410B71A80325BBEB21A7518C4AF6F7B68DF00B16F110166FF00BB1D2E678DD158B59
                                                                                                                                                            Function 0045234B Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 138COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetSystemWindowsDirectoryW.KERNEL32(00000000,00000105), ref: 00452390
                                                                                                                                                            • GetLastError.KERNEL32(?,?,00456531,TEMP,00000000,80000002,System\CurrentControlSet\Control\Session Manager\Environment,00020019), ref: 0045239C
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to get Windows directory path with returned size., xrefs: 00452444
                                                                                                                                                            • Failed to get Windows directory path with default size., xrefs: 004523CC
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp, xrefs: 00452379, 004523C0, 004523C6, 004523D7, 00452439, 0045243E, 004524AC
                                                                                                                                                            • Failed to alloc Windows directory path., xrefs: 0045236A
                                                                                                                                                            • Failed to terminate Windows directory path with backslash., xrefs: 0045249D
                                                                                                                                                            • Failed to realloc Windows directory path., xrefs: 004523F2
                                                                                                                                                            • Failed to concat subdirectory on Windows directory path., xrefs: 00452477
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: DirectoryErrorLastSystemWindows
                                                                                                                                                            • String ID: Failed to alloc Windows directory path.$Failed to concat subdirectory on Windows directory path.$Failed to get Windows directory path with default size.$Failed to get Windows directory path with returned size.$Failed to realloc Windows directory path.$Failed to terminate Windows directory path with backslash.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp
                                                                                                                                                            • API String ID: 505562763-519864416
                                                                                                                                                            • Opcode ID: 33af9427c8fecc57925b4f03cb7dd78ae6d28dd11a319ebe0c45a0e84bc426a4
                                                                                                                                                            • Instruction ID: 18c544bba0cb47acf596f23c2887da682bcd4584847de20d6049fe9ecdb866a8
                                                                                                                                                            • Opcode Fuzzy Hash: 33af9427c8fecc57925b4f03cb7dd78ae6d28dd11a319ebe0c45a0e84bc426a4
                                                                                                                                                            • Instruction Fuzzy Hash: FF412A32A80736B3D72266949D4AFAF25189B43B52F114123FD00BF283E7EC8D0157E9
                                                                                                                                                            Function 003F4A25 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 130COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetSystemWow64DirectoryW.KERNEL32(?,00000105,?,00000105), ref: 003F4A67
                                                                                                                                                            • GetLastError.KERNEL32 ref: 003F4A73
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp, xrefs: 003F4A97, 003F4A9D, 003F4AAE, 003F4B33, 003F4B38, 003F4B74
                                                                                                                                                            • Failed to get system wow64 directory path with default size., xrefs: 003F4AA3
                                                                                                                                                            • Failed to realloc system wow64 directory path., xrefs: 003F4AF0
                                                                                                                                                            • Failed to get system wow64 directory path with returned size., xrefs: 003F4B3E
                                                                                                                                                            • Failed to allocate space for system wow64 directory., xrefs: 003F4AC9
                                                                                                                                                            • Failed to get max length of input buffer., xrefs: 003F4A4A
                                                                                                                                                            • Failed to terminate system wow64 directory path with backslash., xrefs: 003F4B65
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: DirectoryErrorLastSystemWow64
                                                                                                                                                            • String ID: Failed to allocate space for system wow64 directory.$Failed to get max length of input buffer.$Failed to get system wow64 directory path with default size.$Failed to get system wow64 directory path with returned size.$Failed to realloc system wow64 directory path.$Failed to terminate system wow64 directory path with backslash.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
                                                                                                                                                            • API String ID: 1255099494-3047029672
                                                                                                                                                            • Opcode ID: b30222868ccc4b3c40eae21661ccbc98f34ab6c94887cadf6f84cb76b4f62b8f
                                                                                                                                                            • Instruction ID: 161cf0489d94b9f478d8f922b91b0695a2f04c01dd9f6ba3f93a28cff9f8401c
                                                                                                                                                            • Opcode Fuzzy Hash: b30222868ccc4b3c40eae21661ccbc98f34ab6c94887cadf6f84cb76b4f62b8f
                                                                                                                                                            • Instruction Fuzzy Hash: 06312A72A8173DB3DB2306559C4AF7F696CDB41B62F120121BF44BF283E2A4DD0486E9
                                                                                                                                                            Function 003F48C2 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 128COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 003F4904
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,003F18D8,?,?,00000000,?,?,?,003F18B7,?,?,00000000,00000000), ref: 003F4910
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to get system directory path with returned size., xrefs: 003F49DA
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp, xrefs: 003F4934, 003F493A, 003F494B, 003F49CF, 003F49D4, 003F4A0F
                                                                                                                                                            • Failed to realloc system directory path., xrefs: 003F498C
                                                                                                                                                            • Failed to terminate system directory path with backslash., xrefs: 003F4A00
                                                                                                                                                            • Failed to get system directory path with default size., xrefs: 003F4940
                                                                                                                                                            • Failed to allocate space for system directory., xrefs: 003F4966
                                                                                                                                                            • Failed to get max length of input buffer., xrefs: 003F48E7
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: DirectoryErrorLastSystem
                                                                                                                                                            • String ID: Failed to allocate space for system directory.$Failed to get max length of input buffer.$Failed to get system directory path with default size.$Failed to get system directory path with returned size.$Failed to realloc system directory path.$Failed to terminate system directory path with backslash.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
                                                                                                                                                            • API String ID: 3081803543-4099084807
                                                                                                                                                            • Opcode ID: 6d001f291af8bd6abaacdff411e9a9d2c3f18f0221ef7b19a8f1ff6ba4394cde
                                                                                                                                                            • Instruction ID: 5a728504bc726c778085d49b508ca6296b42297f229d8398b0fb9fb1b17fcecf
                                                                                                                                                            • Opcode Fuzzy Hash: 6d001f291af8bd6abaacdff411e9a9d2c3f18f0221ef7b19a8f1ff6ba4394cde
                                                                                                                                                            • Instruction Fuzzy Hash: 0D310772B8132E77E72356558C4AF7F696CDB05B61F120121BF00BB282E7E49C0486E8
                                                                                                                                                            Function 0040E1C1 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 117fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000), ref: 0040E1DE
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040E1EE
                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040E305
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseCreateErrorFileHandleLast
                                                                                                                                                            • String ID: %ls container from working path '%ls' to path '%ls'$Container has no verification information: %ls$Copying$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$d:\a\wix4\wix4\src\burn\user\cache.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 2528220319-1736372230
                                                                                                                                                            • Opcode ID: 60b3f5d1aa38a91c76129d88eab055f0b0a29faf6e1a93f3b347415dd4587cd7
                                                                                                                                                            • Instruction ID: e7608f5beb84da0aeffc8466651f42216d7d28ca6494c1ffa550c63cc0c74458
                                                                                                                                                            • Opcode Fuzzy Hash: 60b3f5d1aa38a91c76129d88eab055f0b0a29faf6e1a93f3b347415dd4587cd7
                                                                                                                                                            • Instruction Fuzzy Hash: 4231BC32640214BBEF125E959C4AFAF3A29EF45B50F104569FF047E1D1D3B5C8309BA9
                                                                                                                                                            Function 003FB5CF Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 211COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,8000FFFF,0045E7E8,00000000,00000000,00000000,00000000,8000FFFF,?,8000FFFF,8000FFFF,003F6DA2), ref: 003FB5E6
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 003FB83F
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to write variable count., xrefs: 003FB603
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variable.cpp, xrefs: 003FB615, 003FB82A
                                                                                                                                                            • Failed to write variable name., xrefs: 003FB804
                                                                                                                                                            • Failed to write variable value as number., xrefs: 003FB7A0
                                                                                                                                                            • Failed to get numeric., xrefs: 003FB7B4
                                                                                                                                                            • Failed to write variable value as string., xrefs: 003FB7C8
                                                                                                                                                            • Failed to write variable value type., xrefs: 003FB7F0
                                                                                                                                                            • Failed to write included flag., xrefs: 003FB818
                                                                                                                                                            • Unsupported variable type., xrefs: 003FB784
                                                                                                                                                            • Failed to get string., xrefs: 003FB7DC
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                            • String ID: Failed to get numeric.$Failed to get string.$Failed to write included flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 3168844106-3226335872
                                                                                                                                                            • Opcode ID: 55291f7d4fd984228e2e199968e372d2a88f036650dd7a2ee588e8f3359089bc
                                                                                                                                                            • Instruction ID: 4c58ea1ea2b87ecc115f07a5faf265298b0700287d729733305c56debc9161fb
                                                                                                                                                            • Opcode Fuzzy Hash: 55291f7d4fd984228e2e199968e372d2a88f036650dd7a2ee588e8f3359089bc
                                                                                                                                                            • Instruction Fuzzy Hash: EC61F071A4071DBBDB239E54CD46FAABA68FF04B50F214121FB00BA1D1E3B4DA508BA5
                                                                                                                                                            Function 004507B7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 192memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Variant$AllocClearInitString
                                                                                                                                                            • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed XmlCreateDocument$failed put_preserveWhiteSpace$failed put_resolveExternals$failed put_validateOnParse$failed to allocate bstr for Path in XmlLoadDocumentFromFileEx$failed to load XML from: %ls
                                                                                                                                                            • API String ID: 2213243845-3558707546
                                                                                                                                                            • Opcode ID: 5e5d816c35b6f48e094d23b3c8b1d58beb9ba2b77770309155b2f32aecb0d65e
                                                                                                                                                            • Instruction ID: b9c09f48146cf5054f3f916dcb67e6825141dc616f910dae43a66346d52b0d76
                                                                                                                                                            • Opcode Fuzzy Hash: 5e5d816c35b6f48e094d23b3c8b1d58beb9ba2b77770309155b2f32aecb0d65e
                                                                                                                                                            • Instruction Fuzzy Hash: 37517975B40314BBEB15AF55CC49F6E37A8AF44B02F0540A6FD00FB282DA78DA058B99
                                                                                                                                                            Function 004550E2 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 187registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00454F04: lstrlenW.KERNEL32(003F7162,003F6DEA,?,?,?,00455488,003F7162,003F6DEA,003F6EC2,003F6DEA,003F6DEA,?,?,?,00410D28,0D8C6817), ref: 00454F2A
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00020019,00000000,003F6CF2,00000000,00000000,00000000), ref: 004552A2
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00020019,00000000,003F6CF2,00000000,00000000,00000000), ref: 004552B5
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to open the registry key "%ls". The dependency store is corrupt., xrefs: 0045516F
                                                                                                                                                            • Failed to get the name of the dependent from the key "%ls"., xrefs: 004552EB
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 00455121, 0045521F, 0045530E
                                                                                                                                                            • Failed to allocate the registry key for dependency "%ls"., xrefs: 00455112
                                                                                                                                                            • Failed to add the dependent key "%ls" to the string array., xrefs: 004552D7
                                                                                                                                                            • Failed to check the dictionary of ignored dependents., xrefs: 00455210
                                                                                                                                                            • Failed to enumerate the dependents key of "%ls"., xrefs: 004552FF
                                                                                                                                                            • Failed to open the registry key for dependents of "%ls"., xrefs: 004551C4
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close$lstrlen
                                                                                                                                                            • String ID: Failed to add the dependent key "%ls" to the string array.$Failed to allocate the registry key for dependency "%ls".$Failed to check the dictionary of ignored dependents.$Failed to enumerate the dependents key of "%ls".$Failed to get the name of the dependent from the key "%ls".$Failed to open the registry key "%ls". The dependency store is corrupt.$Failed to open the registry key for dependents of "%ls".$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp
                                                                                                                                                            • API String ID: 1752758355-2900922597
                                                                                                                                                            • Opcode ID: 3fade805e3b2a0de244392ca2968d98084f2ff768785e7229a5169f633487754
                                                                                                                                                            • Instruction ID: 4bf825fb0a051e0719d55f5cb3f590685b4c88f0f77b054674eb001227ea4431
                                                                                                                                                            • Opcode Fuzzy Hash: 3fade805e3b2a0de244392ca2968d98084f2ff768785e7229a5169f633487754
                                                                                                                                                            • Instruction Fuzzy Hash: 2151D732D40A29FBEF22AA90CC56FBF7E649B00712F154152FE00791D2D3B98E54DB99
                                                                                                                                                            Function 003F327C Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 169COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000003,?,?,0044A94F,?,?), ref: 003F32DB
                                                                                                                                                            • GetLastError.KERNEL32(?,?,0044A94F,?,?,00000000,0000FDE9,?,003F7B05,00000003), ref: 003F32E7
                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,0044A94F,?,00000000,00000000,00000000,00000000,00000003,?,?,0044A94F,?,?), ref: 003F33E6
                                                                                                                                                            • GetLastError.KERNEL32(?,?,0044A94F,?,?,00000000,0000FDE9,?,003F7B05,00000003), ref: 003F33F0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ByteCharErrorLastMultiWide
                                                                                                                                                            • String ID: Not enough memory to allocate string of size: %u$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\strutil.cpp$failed to allocate string, len: %u$failed to convert to ansi: %ls$failed to get required size for conversion to ANSI: %ls$failed to get size of destination string
                                                                                                                                                            • API String ID: 203985260-2965928106
                                                                                                                                                            • Opcode ID: 1b7116987e930f2c162fcc0262e2fa2f7c1dfc5455dabfb8b0d7556c94ef7758
                                                                                                                                                            • Instruction ID: a897b4328bcf9660230543c5a585bdeebc67236c3fe3989368fb1515bcf50e0c
                                                                                                                                                            • Opcode Fuzzy Hash: 1b7116987e930f2c162fcc0262e2fa2f7c1dfc5455dabfb8b0d7556c94ef7758
                                                                                                                                                            • Instruction Fuzzy Hash: 0C51D47664021DBBE7278F55CC8AFBF7668DB04761F11412ABF05AF2D1EAB0DE009660
                                                                                                                                                            Function 00455753 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 167registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00454F04: lstrlenW.KERNEL32(003F7162,003F6DEA,?,?,?,00455488,003F7162,003F6DEA,003F6EC2,003F6DEA,003F6DEA,?,?,?,00410D28,0D8C6817), ref: 00454F2A
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000001,00000000,00000001,00000000,003F6DA2,003F6CF2,00020006,00000000,00000000,00000000,00000001,00000000,003F6DA2,004131C1,00000000,00000000), ref: 004558FE
                                                                                                                                                            • RegCloseKey.ADVAPI32(003F6DA2,00000000,00000001,00000000,003F6DA2,003F6CF2,00020006,00000000,00000000,00000000,00000001,00000000,003F6DA2,004131C1,00000000,00000000), ref: 0045591C
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to set the %ls registry value to %d., xrefs: 004558D9
                                                                                                                                                            • Failed to allocate dependent subkey "%ls" under dependency "%ls"., xrefs: 004557FF
                                                                                                                                                            • %ls\%ls, xrefs: 004557E5
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 00455790, 00455842, 004558E8
                                                                                                                                                            • Failed to create the dependency subkey "%ls"., xrefs: 00455833
                                                                                                                                                            • Failed to allocate the registry key for dependency "%ls"., xrefs: 00455781
                                                                                                                                                            • Failed to set the %ls registry value to "%ls"., xrefs: 00455874, 004558A5
                                                                                                                                                            • Failed to create the dependency registry key "%ls"., xrefs: 004557C8
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close$lstrlen
                                                                                                                                                            • String ID: %ls\%ls$Failed to allocate dependent subkey "%ls" under dependency "%ls".$Failed to allocate the registry key for dependency "%ls".$Failed to create the dependency registry key "%ls".$Failed to create the dependency subkey "%ls".$Failed to set the %ls registry value to "%ls".$Failed to set the %ls registry value to %d.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp
                                                                                                                                                            • API String ID: 1752758355-602586573
                                                                                                                                                            • Opcode ID: a24f128d925da1eff5208ec77c420715b98979f9c3a790ab9df7679b62aeab5b
                                                                                                                                                            • Instruction ID: b4c1d3a52687504d0485850eb264c71a5c4f7b60949e06727b591b2030cce2e8
                                                                                                                                                            • Opcode Fuzzy Hash: a24f128d925da1eff5208ec77c420715b98979f9c3a790ab9df7679b62aeab5b
                                                                                                                                                            • Instruction Fuzzy Hash: 8B51A172D80629FBEF227F81CC46EAF7F75EB04751F104526FA007A1A2D7748A249B94
                                                                                                                                                            Function 0044D815 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 159stringregistryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • lstrlenW.KERNEL32(00000000,00000001,BundleUpgradeCode,00000000,003F6DA2,00000000,00000000,00000001,0041303D,?,878D30FF,00412F8D,00000000,00413085,67E85650,003F6CF2), ref: 0044D849
                                                                                                                                                            • lstrlenW.KERNEL32(?,0041303D,00000001,00000000,0041303D,00000001,BundleUpgradeCode,00000000), ref: 0044D8D2
                                                                                                                                                            • RegSetValueExW.ADVAPI32(?,878D30FF,00412F8D,00000000,00413085,67E85650,003F6CF2,0041303D,00000001,00412F8D), ref: 0044D95B
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 0044D896, 0044D937, 0044D97F, 0044D984, 0044D99A
                                                                                                                                                            • failed to copy string: %ls, xrefs: 0044D928
                                                                                                                                                            • Failed to set registry value to array of strings (first string of which is): %ls, xrefs: 0044D98B
                                                                                                                                                            • DWORD Overflow while adding length of string to write REG_MULTI_SZ, xrefs: 0044D887
                                                                                                                                                            • Failed to allocate space for string while writing REG_MULTI_SZ, xrefs: 0044D876
                                                                                                                                                            • Failed to get total string size in bytes, xrefs: 0044D914
                                                                                                                                                            • BundleUpgradeCode, xrefs: 0044D82A
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: lstrlen$Value
                                                                                                                                                            • String ID: BundleUpgradeCode$DWORD Overflow while adding length of string to write REG_MULTI_SZ$Failed to allocate space for string while writing REG_MULTI_SZ$Failed to get total string size in bytes$Failed to set registry value to array of strings (first string of which is): %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp$failed to copy string: %ls
                                                                                                                                                            • API String ID: 198323757-1095722736
                                                                                                                                                            • Opcode ID: 0391774c55e9faab76b6433040bc90a31c826c2d39d41a7e69587b8f910f8318
                                                                                                                                                            • Instruction ID: e709f1938117072a48b7c4940294587c83b800cb43f0595aa48d8670ec9d6510
                                                                                                                                                            • Opcode Fuzzy Hash: 0391774c55e9faab76b6433040bc90a31c826c2d39d41a7e69587b8f910f8318
                                                                                                                                                            • Instruction Fuzzy Hash: BE41D7B1E40319BBFB15EE54CD4AF6F77B8EF85700F11046AFA11EB280D6B49A018769
                                                                                                                                                            Function 0040B35D Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 146COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,8000FFFF,?,?,00000000,?,?), ref: 0040B371
                                                                                                                                                              • Part of subcall function 004534CC: ReadFile.KERNEL32(00000004,00000004,?,?,00000000,?,00000000,00000000,?,?,0040C427,?,?,00000004,?,00000004), ref: 004534F1
                                                                                                                                                              • Part of subcall function 004534CC: GetLastError.KERNEL32(?,?,0040C427,?,?,00000004,?,00000004,00000004,?,?,00000004,?,00000004,00000004), ref: 004534FB
                                                                                                                                                            Strings
                                                                                                                                                            • Verification secret from parent is too big., xrefs: 0040B3CA
                                                                                                                                                            • Verification process id from parent does not match., xrefs: 0040B4F2
                                                                                                                                                            • Failed to read verification process id from parent pipe., xrefs: 0040B46B
                                                                                                                                                            • Failed to inform parent process that child is running., xrefs: 0040B49F
                                                                                                                                                            • Verification secret from parent does not match., xrefs: 0040B445
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\pipe.cpp, xrefs: 0040B3B7, 0040B3C2, 0040B3DC, 0040B432, 0040B43D, 0040B4B1, 0040B4DF, 0040B4EA
                                                                                                                                                            • Failed to allocate buffer for verification secret., xrefs: 0040B3F3
                                                                                                                                                            • Failed to read size of verification secret from parent pipe., xrefs: 0040B38F
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentErrorFileLastProcessRead
                                                                                                                                                            • String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$d:\a\wix4\wix4\src\burn\user\pipe.cpp
                                                                                                                                                            • API String ID: 2959708427-3721239626
                                                                                                                                                            • Opcode ID: 7806ad4e7b5aa8f2933b544f69ad909dabe3ad2436452a893ffd518a019cecb2
                                                                                                                                                            • Instruction ID: 57671aa3bdde30f8ff2e6f1583da89be0b55bf3b9d3515e7b2d787b65d4f8414
                                                                                                                                                            • Opcode Fuzzy Hash: 7806ad4e7b5aa8f2933b544f69ad909dabe3ad2436452a893ffd518a019cecb2
                                                                                                                                                            • Instruction Fuzzy Hash: 4341EC71A80719B6E71259458C46FBF756CDB45B10F204167FB10BA3C2E3B89E00969D
                                                                                                                                                            Function 003F5A09 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 143COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000040,?,00000040,00000000,00000000,0100147D,?,?,?,003F41A9,?,?,?,00000000), ref: 003F5A5C
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,003F41A9,?,?,?,00000000), ref: 003F5A68
                                                                                                                                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,003F41A9,?,?,?,00000000), ref: 003F5B05
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,003F41A9,?,?,?,00000000), ref: 003F5B11
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: EnvironmentErrorExpandLastStrings
                                                                                                                                                            • String ID: Failed to allocate buffer for expanded string.$Failed to allocate space for expanded path.$Failed to expand environment variables in string: %ls$Failed to get max length of input buffer.$Failed to re-allocate more space for expanded path.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\envutil.cpp
                                                                                                                                                            • API String ID: 4064601616-3610958334
                                                                                                                                                            • Opcode ID: 175fcaa5e68b297f58c9cab1e5175cd01f37191ebe404dc33ba02f1e5dd08926
                                                                                                                                                            • Instruction ID: e85d6f3730d8bb681ecbb3017d20aecde7249380a63625675c35d43e4176c396
                                                                                                                                                            • Opcode Fuzzy Hash: 175fcaa5e68b297f58c9cab1e5175cd01f37191ebe404dc33ba02f1e5dd08926
                                                                                                                                                            • Instruction Fuzzy Hash: E2410B32A81A29B7DB3356419C4AF7F7D689F41BA1F110155FB047F2C1E6748E00C6E5
                                                                                                                                                            Function 004501DE Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 137memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 004501F5
                                                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 0045022F
                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00450340
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0045034B
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: StringVariant$AllocClearFreeInit
                                                                                                                                                            • String ID: Failed getNamedItem in XmlGetAttribute(%ls)$Failed get_attributes.$Failed get_nodeValue in XmlGetAttribute(%ls)$Failed to allocate attribute name BSTR.$Failed to copy attribute value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp
                                                                                                                                                            • API String ID: 760788290-2059256487
                                                                                                                                                            • Opcode ID: d9eff9c7de39669aa7d32e62668febb026a8a6a153a67a7e84b1b7e64d85bde7
                                                                                                                                                            • Instruction ID: da9b6466c7811270e1ddea39c93664ce2a88b547149cafd54bc2d20c16620d1d
                                                                                                                                                            • Opcode Fuzzy Hash: d9eff9c7de39669aa7d32e62668febb026a8a6a153a67a7e84b1b7e64d85bde7
                                                                                                                                                            • Instruction Fuzzy Hash: 6F411439740314BBDB05AF50CC4EF6F37699B84B02F1040AAFE01AB292DB74DE058B58
                                                                                                                                                            Function 003F90A0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 121timeCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetSystemTime.KERNEL32(?), ref: 003F90C8
                                                                                                                                                            • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 003F90DC
                                                                                                                                                            • GetLastError.KERNEL32 ref: 003F90E8
                                                                                                                                                            • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 003F915C
                                                                                                                                                            • GetLastError.KERNEL32 ref: 003F9166
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: DateErrorFormatLast$SystemTime
                                                                                                                                                            • String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 2700948981-1940114245
                                                                                                                                                            • Opcode ID: afdb4dfb63833ec76a460090a0af346afc8089a731a6419b46c1222e30b97363
                                                                                                                                                            • Instruction ID: f017b65990e999c5ff08cacaafed95dd925ff42ce5ab340f0b49b367e1f24f75
                                                                                                                                                            • Opcode Fuzzy Hash: afdb4dfb63833ec76a460090a0af346afc8089a731a6419b46c1222e30b97363
                                                                                                                                                            • Instruction Fuzzy Hash: 46310772A8032FB6E72256958C4AFFF7A6C9B05B51F120126FB45FB2C1E5A49D0082E5
                                                                                                                                                            Function 0044B9F6 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 112processCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0044BA8E
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 0044BA98
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000000), ref: 0044BAF7
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000000), ref: 0044BB09
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandle$CreateErrorLastProcess
                                                                                                                                                            • String ID: "%ls" %ls$D$Failed to allocate full command-line.$Failed to create process: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 161867955-2040657328
                                                                                                                                                            • Opcode ID: 8d5ce36cc7b90c0c5b8fbc1757d81026fba868d0f06f20da2b0bb9f8d116bb46
                                                                                                                                                            • Instruction ID: 7ef5454bac1ee17a0030fbabb038bd3e804ceb0f28fcaefe3a3bd8e183f0e300
                                                                                                                                                            • Opcode Fuzzy Hash: 8d5ce36cc7b90c0c5b8fbc1757d81026fba868d0f06f20da2b0bb9f8d116bb46
                                                                                                                                                            • Instruction Fuzzy Hash: AD31727594021DBBEB119F95CD45FEFBAB8EB04705F100426FA04B6291E3789E00DBA5
                                                                                                                                                            Function 003F9AE0 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 109libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 003F9B0E
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 003F9B15
                                                                                                                                                            • GetLastError.KERNEL32 ref: 003F9B21
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressErrorHandleLastModuleProc
                                                                                                                                                            • String ID: DllGetVersion$Failed to create msi.dll version from QWORD.$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\user\variable.cpp$msi
                                                                                                                                                            • API String ID: 4275029093-1657635385
                                                                                                                                                            • Opcode ID: e83c7abcf883aa20a6a29081190c025986748e14e21394ac9711e3eb2815c4ba
                                                                                                                                                            • Instruction ID: d7fde753754d06770e811a54e155c8f94478fedf6f6ae3b0809b948f4d9ff126
                                                                                                                                                            • Opcode Fuzzy Hash: e83c7abcf883aa20a6a29081190c025986748e14e21394ac9711e3eb2815c4ba
                                                                                                                                                            • Instruction Fuzzy Hash: 93312931E4072EB7E7125A95DC06FBF666C9B04B55F110126FB05FA1D1E6ACEC0086E5
                                                                                                                                                            Function 0040A9AD Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 62COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 0044B0E2: EnterCriticalSection.KERNEL32(0048D4F0,00000000,00000000,00000001,0000000C,0000000C,?,0040A885,00000000,00000001,00468FA8,?,00000000,00000000,0000000C,00000000), ref: 0044B0F7
                                                                                                                                                              • Part of subcall function 0044B0E2: LeaveCriticalSection.KERNEL32(0048D4F0,?,0040A885,00000000,00000001,00468FA8,?,00000000,00000000,0000000C,00000000,00000001,00000000,00000000,00000000,00000008), ref: 0044B2F9
                                                                                                                                                            • OpenEventLogW.ADVAPI32(00000000,Application), ref: 0040A9D3
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 0040A9DF
                                                                                                                                                            • ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,00468E3C,00000000), ref: 0040AA36
                                                                                                                                                            • CloseEventLog.ADVAPI32(00000000), ref: 0040AA3D
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
                                                                                                                                                            • String ID: Application$Failed to open Application event log$Setup$_Failed$d:\a\wix4\wix4\src\burn\user\logging.cpp$log
                                                                                                                                                            • API String ID: 1844635321-122217184
                                                                                                                                                            • Opcode ID: 5c81b2bd3f6a33a1a9d224a104b73dce5513b7cef8a6f511f5081a4df76b3318
                                                                                                                                                            • Instruction ID: 56c5dcb285b80543d2ce187bad9a69100ca6c012942dcfbfe85b96d4ec778384
                                                                                                                                                            • Opcode Fuzzy Hash: 5c81b2bd3f6a33a1a9d224a104b73dce5513b7cef8a6f511f5081a4df76b3318
                                                                                                                                                            • Instruction Fuzzy Hash: 370188B2B417757AB32212266C4DEBB092CDAC6F55B11012AFD04F61C1E6AC8C0185BA
                                                                                                                                                            Function 0044C951 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 164registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,?,?,0045526C,00000000,00000000,00000000,00000000,00020019,00000000,00000000,00000000,00020019,00000000,003F6CF2,00000000), ref: 0044C9ED
                                                                                                                                                            • RegQueryInfoKeyW.ADVAPI32(?,?,?,0045526C,00000000,00000000,00000000,00000000,00020019,00000000,00000000,00000000,00020019,00000000,003F6CF2,00000000), ref: 0044CA1B
                                                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,?,?,0045526C,00000000,00000000,00000000,00000000,00020019,00000000,00000000,00000000,00020019,00000000,003F6CF2,00000000), ref: 0044CAA2
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Enum$InfoQuery
                                                                                                                                                            • String ID: Failed to allocate string bigger for enum registry key.$Failed to allocate string to minimum size.$Failed to determine length of string.$Failed to enum registry key.$Failed to get max size of subkey name under registry key.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 73471667-3057206726
                                                                                                                                                            • Opcode ID: aa77431023191c2293095b4cd3d4ad47e067ef8d25d8ad3887ab440dd11b6ff6
                                                                                                                                                            • Instruction ID: 7e48a9f35221999dfe063633f63fc2a0609484e9090b0cd1f5c766ed11ddc123
                                                                                                                                                            • Opcode Fuzzy Hash: aa77431023191c2293095b4cd3d4ad47e067ef8d25d8ad3887ab440dd11b6ff6
                                                                                                                                                            • Instruction Fuzzy Hash: 2C412B76601228F7FB119B55CD89FAF7A6DDB85710F15002AFA04FB240E6B88D019768
                                                                                                                                                            Function 00452182 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 161COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(00000000,00000001,00000000,?,00000000,?,00000000,7FFFFFFF,?,00000000,7FFFFFFF,?,00000000,?,00000005,00000000), ref: 004522B9
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareString
                                                                                                                                                            • String ID: Failed to canonicalize the directory.$Failed to canonicalize the path.$Failed to get length of canonicalized directory.$Failed to get length of canonicalized path.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp$wzDirectory is required.$wzDirectory must be a fully qualified path.$wzPath is required.
                                                                                                                                                            • API String ID: 1825529933-3471778437
                                                                                                                                                            • Opcode ID: c7d2b92d7e5c3ebc23bdcfe4635ed0f9ccef80e6e0f3a09a8c0857b33226527b
                                                                                                                                                            • Instruction ID: 86ea56f26e4301ed3ff0df196401cd26a9ba573e3132d3192aff17fdb5614332
                                                                                                                                                            • Opcode Fuzzy Hash: c7d2b92d7e5c3ebc23bdcfe4635ed0f9ccef80e6e0f3a09a8c0857b33226527b
                                                                                                                                                            • Instruction Fuzzy Hash: 7C412C34B80715B6E7216A914D8AFBF666C9F52F05F104057BF00BE2C2E7F84E04965C
                                                                                                                                                            Function 0041D520 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161sleepwindowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • DefWindowProcW.USER32(?,00000082,?,?), ref: 0041D55B
                                                                                                                                                            • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0041D56A
                                                                                                                                                            • SetWindowLongW.USER32(?,000000EB,?), ref: 0041D57E
                                                                                                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 0041D58E
                                                                                                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 0041D59E
                                                                                                                                                            • Sleep.KERNEL32(000000FA), ref: 0041D612
                                                                                                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 0041D675
                                                                                                                                                            • PostQuitMessage.USER32(00000000), ref: 0041D6EE
                                                                                                                                                            Strings
                                                                                                                                                            • =======================================, xrefs: 0041D63E
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Window$Long$Proc$MessagePostQuitSleep
                                                                                                                                                            • String ID: =======================================
                                                                                                                                                            • API String ID: 305784972-300222271
                                                                                                                                                            • Opcode ID: 478fab957e9cab3e86a0a998739e799209a0607613690dfb2d1cf251dfbccb99
                                                                                                                                                            • Instruction ID: b36a143c522528a214d84d968f6386651193d849c21a507c33fd7261e328113b
                                                                                                                                                            • Opcode Fuzzy Hash: 478fab957e9cab3e86a0a998739e799209a0607613690dfb2d1cf251dfbccb99
                                                                                                                                                            • Instruction Fuzzy Hash: 555127B1900210BBCB15AF65CD49FAA3A69EF04304F15417EF909AB263DB39CD5096A9
                                                                                                                                                            Function 003FD1D3 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 157COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _memcpy_s
                                                                                                                                                            • String ID: Failed to find variable.$Failed to format variable '%ls' for condition '%ls'$Failed to get if variable is hidden.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$Failed to store formatted value for variable '%ls' for condition '%ls'$d:\a\wix4\wix4\src\burn\user\condition.cpp$feclient.dll
                                                                                                                                                            • API String ID: 2001391462-821846985
                                                                                                                                                            • Opcode ID: df673bedc0c99ecdb5e87d24a8c2e1e8364ef52d6b406bfbf916712ca67136a8
                                                                                                                                                            • Instruction ID: c180491f8a09fe930ef547b830385b74a488908662f708677144316ee525d9e4
                                                                                                                                                            • Opcode Fuzzy Hash: df673bedc0c99ecdb5e87d24a8c2e1e8364ef52d6b406bfbf916712ca67136a8
                                                                                                                                                            • Instruction Fuzzy Hash: A3413672A8061CB7EB171E94CC4AFBB7A39EB05B10F114516FB04BE281E2E5DD0096E2
                                                                                                                                                            Function 0042A0F4 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 154COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,003F6CF2,00000000,?,?,?,0042A0C7,00000000,003F6CF2,00000000,00000000,00000000), ref: 0042A123
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,0042A0C7,00000000,003F6CF2,00000000,00000000,00000000,?,0042C452,00000000,00000000,00000000,00000000,00000000), ref: 0042A133
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateErrorEventLast
                                                                                                                                                            • String ID: Failed to append cache action.$Failed to append checkpoint before package start action.$Failed to append rollback cache action.$Failed to create syncpoint event.$Failed to plan cache for package.$Failed to plan package cache syncpoint$d:\a\wix4\wix4\src\burn\user\plan.cpp
                                                                                                                                                            • API String ID: 545576003-3436273000
                                                                                                                                                            • Opcode ID: ab5947b877695a842307b657f10cb99138f4e56abfb4860e6714dee99f274d40
                                                                                                                                                            • Instruction ID: 33d2324c34b85c306df03a6547dda34580fed929a6ea1c82cbfa3d62c46415b0
                                                                                                                                                            • Opcode Fuzzy Hash: ab5947b877695a842307b657f10cb99138f4e56abfb4860e6714dee99f274d40
                                                                                                                                                            • Instruction Fuzzy Hash: AA41C671B80731FBE712CA51DC45FAB7668AB04B14F614097FD04AB381E7B89D50CAAA
                                                                                                                                                            Function 0040D5B2 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 149COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • LocalFree.KERNEL32(00000000,00000000,00000001,80000005,00000000,00000000,00000000,00000000,00000003,000007D0), ref: 0040D752
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to allocate access for Everyone group to path: %ls, xrefs: 0040D661
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\cache.cpp, xrefs: 0040D6DD, 0040D736
                                                                                                                                                            • Failed to allocate access for Users group to path: %ls, xrefs: 0040D68F
                                                                                                                                                            • Failed to create ACL to secure cache path: %ls, xrefs: 0040D6E8
                                                                                                                                                            • Failed to allocate access for Administrators group to path: %ls, xrefs: 0040D605
                                                                                                                                                            • Failed to secure cache path: %ls, xrefs: 0040D724
                                                                                                                                                            • Failed to allocate access for SYSTEM group to path: %ls, xrefs: 0040D633
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeLocal
                                                                                                                                                            • String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$d:\a\wix4\wix4\src\burn\user\cache.cpp
                                                                                                                                                            • API String ID: 2826327444-3214910189
                                                                                                                                                            • Opcode ID: 43dca7b88c04f314fa7016a3060c14297eb57480dabfe54d04c29daa861ed14a
                                                                                                                                                            • Instruction ID: 38b4fddf3cc2c042594bc96a1008bc5d843adf6200c525e9730867c27c241dc4
                                                                                                                                                            • Opcode Fuzzy Hash: 43dca7b88c04f314fa7016a3060c14297eb57480dabfe54d04c29daa861ed14a
                                                                                                                                                            • Instruction Fuzzy Hash: C041D931F8072976E73196918C4AFEB7668AB04F14F114076BB44BE1C1EAF4AD4887E9
                                                                                                                                                            Function 003F467E Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 143COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetFullPathNameW.KERNEL32(00000000,00000105,?,0100147D,?,00000105,00000000,00000000,0100147D,?,00000000,003F6570), ref: 003F470D
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FullNamePath
                                                                                                                                                            • String ID: Failed to allocate space for full path.$Failed to get current directory.$Failed to get full path for string: %ls$Failed to get max length of input buffer.$Failed to reallocate space for full path.$GetFullPathNameW results never converged.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
                                                                                                                                                            • API String ID: 608056474-2352071517
                                                                                                                                                            • Opcode ID: cfe83916bfa7b7e676bdfb062d3f691e0112e7ccbf49eea3a3cb412c9fb5df3a
                                                                                                                                                            • Instruction ID: 455edd770ba0d7f294ddc80f39d5e04f5e80fc9ab7f76aacf34075040fc947ac
                                                                                                                                                            • Opcode Fuzzy Hash: cfe83916bfa7b7e676bdfb062d3f691e0112e7ccbf49eea3a3cb412c9fb5df3a
                                                                                                                                                            • Instruction Fuzzy Hash: 48411A31B4132D77E7226A558C4AFBF7A68DB06B61F110025FF14BF2C1E7B49C0446A4
                                                                                                                                                            Function 00400648 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 118COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            • Directory search: %ls, failed get to directory attributes. '%ls', xrefs: 00400703
                                                                                                                                                            • Directory search: %ls, found file at path: %ls, xrefs: 00400741
                                                                                                                                                            • Directory search: %ls, did not find path: %ls, xrefs: 00400725
                                                                                                                                                            • Failed to format variable string., xrefs: 0040069E
                                                                                                                                                            • Failed to initialize file search., xrefs: 00400671
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\search.cpp, xrefs: 004006F3, 004006F8, 00400715, 00400773
                                                                                                                                                            • Failed to set variable., xrefs: 00400761
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: Directory search: %ls, did not find path: %ls$Directory search: %ls, failed get to directory attributes. '%ls'$Directory search: %ls, found file at path: %ls$Failed to format variable string.$Failed to initialize file search.$Failed to set variable.$d:\a\wix4\wix4\src\burn\user\search.cpp
                                                                                                                                                            • API String ID: 0-1139486771
                                                                                                                                                            • Opcode ID: bf8d2687e9f24f4c865728edf336bf23ab10635f365e275fe823d424c9f71515
                                                                                                                                                            • Instruction ID: ff5793f92768cc141e75e4a7d0255e30f1ea3ad1474c9da1b2f339eb815f2ce8
                                                                                                                                                            • Opcode Fuzzy Hash: bf8d2687e9f24f4c865728edf336bf23ab10635f365e275fe823d424c9f71515
                                                                                                                                                            • Instruction Fuzzy Hash: 01315D31E4162577DB115A958C4AFAFBA68AF04750F100233FE04BB1C1F779AD109ADA
                                                                                                                                                            Function 004008D7 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 118COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            • File search: %ls, found directory at path: %ls, xrefs: 004009D0
                                                                                                                                                            • File search: %ls, failed get to file attributes. '%ls', xrefs: 00400992
                                                                                                                                                            • Failed to format variable string., xrefs: 0040092D
                                                                                                                                                            • File search: %ls, did not find path: %ls, xrefs: 004009B4
                                                                                                                                                            • Failed to initialize file search., xrefs: 00400900
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\search.cpp, xrefs: 00400982, 00400987, 004009A4, 00400A02
                                                                                                                                                            • Failed to set variable., xrefs: 004009F0
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: Failed to format variable string.$Failed to initialize file search.$Failed to set variable.$File search: %ls, did not find path: %ls$File search: %ls, failed get to file attributes. '%ls'$File search: %ls, found directory at path: %ls$d:\a\wix4\wix4\src\burn\user\search.cpp
                                                                                                                                                            • API String ID: 0-1703314674
                                                                                                                                                            • Opcode ID: 04e27d4d06e02f2df581f5ba8cd404b72a695fc648aca8ef85392af2de242964
                                                                                                                                                            • Instruction ID: b371b8760bf17d710d04332cda0e015d4dc9b681cd0fa8c6a9b3805955c43985
                                                                                                                                                            • Opcode Fuzzy Hash: 04e27d4d06e02f2df581f5ba8cd404b72a695fc648aca8ef85392af2de242964
                                                                                                                                                            • Instruction Fuzzy Hash: 0B314172E40715B6EB115A958C4BF7FBA64AF04750F100133FE04791D2F6B49D108AD9
                                                                                                                                                            Function 00402C2A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 110libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,00000000,000000B0), ref: 00402C7C
                                                                                                                                                            • GetLastError.KERNEL32 ref: 00402C89
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00402CD9
                                                                                                                                                            • GetLastError.KERNEL32 ref: 00402CE5
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$AddressLibraryLoadProc
                                                                                                                                                            • String ID: BootstrapperApplicationCreate$Failed to create BA.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load BA DLL: %ls$d:\a\wix4\wix4\src\burn\user\userexperience.cpp
                                                                                                                                                            • API String ID: 1866314245-160439467
                                                                                                                                                            • Opcode ID: 520c1b93ef5e400f1af1091a39ee8184ccd1194dfb6bf2badf82ae71eb830ea1
                                                                                                                                                            • Instruction ID: 86eb1948562cfe45fd9e17c5ac4d093201f7b9288d01aca2c260526a931d05bd
                                                                                                                                                            • Opcode Fuzzy Hash: 520c1b93ef5e400f1af1091a39ee8184ccd1194dfb6bf2badf82ae71eb830ea1
                                                                                                                                                            • Instruction Fuzzy Hash: 1731D671E40729B7E7118F959D49B9FBAB4AF08750F014126F904BB3C0E3B89D008AD9
                                                                                                                                                            Function 0040A07C Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 108COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcessId.KERNEL32(00000008,?,00000000,00000000,00000000,00000000,00000008,?,00000000,00000000,?,?), ref: 0040A0C3
                                                                                                                                                            • ProcessIdToSessionId.KERNEL32(00000000), ref: 0040A0CA
                                                                                                                                                            Strings
                                                                                                                                                            • %u\, xrefs: 0040A0DE
                                                                                                                                                            • Failed to format session id as a string., xrefs: 0040A0F2
                                                                                                                                                            • Failed to copy temp folder., xrefs: 0040A171
                                                                                                                                                            • Failed to get length of session id string., xrefs: 0040A11D
                                                                                                                                                            • Failed to get temp folder., xrefs: 0040A0A8
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\logging.cpp, xrefs: 0040A183
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Process$CurrentSession
                                                                                                                                                            • String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get temp folder.$d:\a\wix4\wix4\src\burn\user\logging.cpp
                                                                                                                                                            • API String ID: 2701954971-2959569260
                                                                                                                                                            • Opcode ID: 48ecc8dd485a69d25e69725f16219b06b5754626a7c185d84c2c2d2753855f05
                                                                                                                                                            • Instruction ID: 58a40c6e3645665e9fac512a64f1e536ec8473ed36fdffce29a30385cbc12e7e
                                                                                                                                                            • Opcode Fuzzy Hash: 48ecc8dd485a69d25e69725f16219b06b5754626a7c185d84c2c2d2753855f05
                                                                                                                                                            • Instruction Fuzzy Hash: 1C318771E40329FACF11EB95CC05EEFBBB8DF51750F110162FA10BA2D5E6B49A10CA96
                                                                                                                                                            Function 00453A62 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 94fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,?,0043262E,00000000,00000000,00000000,?), ref: 00453AAF
                                                                                                                                                            • GetLastError.KERNEL32(?,0043262E,00000000,00000000,00000000,?,?,?,0042EE7E,458BF88B,?,?,?,00000000,00000000,?), ref: 00453ABC
                                                                                                                                                            • GetLastError.KERNEL32(?,0043262E,00000000,00000000,00000000,?,?,?,0042EE7E,458BF88B,?,?,?,00000000,00000000,?), ref: 00453ACE
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$CreateFile
                                                                                                                                                            • String ID: Attempted to check filename, but no filename was provided$Failed to check size of file %ls by handle$Failed to open file %ls while checking file size$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 1722934493-3578862929
                                                                                                                                                            • Opcode ID: 683c3887afd5d9f6fb70d64c311880bca57e9b530c2bec13232cff7b586617fc
                                                                                                                                                            • Instruction ID: de5d1c976883ced7ef3ec6064009d25c06a21e3864b3699f1aa60e8cd085682e
                                                                                                                                                            • Opcode Fuzzy Hash: 683c3887afd5d9f6fb70d64c311880bca57e9b530c2bec13232cff7b586617fc
                                                                                                                                                            • Instruction Fuzzy Hash: B621D673A8122576E2322955AC8AF7F555C9B45BA3F014616FE08BB2C3A1589E0051F9
                                                                                                                                                            Function 0044B5FE Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 86libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,00000001,?,?,003F7C8C), ref: 0044B6F1
                                                                                                                                                              • Part of subcall function 003F1839: LoadLibraryExW.KERNEL32(?,00000000,00000800,00000000,?,003F1645,?,?,?,?,?,?,003F115A,cabinet.dll,00000009,?), ref: 003F1855
                                                                                                                                                              • Part of subcall function 003F1839: GetLastError.KERNEL32(?,003F1645,?,?,?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F1866
                                                                                                                                                            • GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 0044B687
                                                                                                                                                            • GetLastError.KERNEL32(?,?,003F7C8C,?,?,?,?,?,?,?), ref: 0044B693
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastLibrary$AddressFreeLoadProc
                                                                                                                                                            • String ID: Failed to load ntdll.dll$Failed to load ntdll.dll.$Failed to locate RtlGetVersion.$RtlGetVersion$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\osutil.cpp$ntdll.dll
                                                                                                                                                            • API String ID: 1529210728-3252241749
                                                                                                                                                            • Opcode ID: 7b22f036743280bb52971f4ef8dbb8d0a7c1fb2e4909ab0a7cff150d0cf5d0dc
                                                                                                                                                            • Instruction ID: d6c25ce4939350ffb50a0a640315e98fe7bf52cf1c16920c94812548b9d0d18e
                                                                                                                                                            • Opcode Fuzzy Hash: 7b22f036743280bb52971f4ef8dbb8d0a7c1fb2e4909ab0a7cff150d0cf5d0dc
                                                                                                                                                            • Instruction Fuzzy Hash: 67212831A40325B7F3102A91DC8AF6F759CD715715F11483BBA007A292D7ACCD01479D
                                                                                                                                                            Function 003F8AA9 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 65registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020019,00000002,00000000), ref: 003F8B61
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 3535843008-118609244
                                                                                                                                                            • Opcode ID: 71af080a618c80a249816e32e216cb01cf6b592e847fe6eaf9e621c5b0fc1753
                                                                                                                                                            • Instruction ID: aa9c2748fb4a74f92d37d738646fe7b0792e92051e60ce89e2c2d8d531816a2f
                                                                                                                                                            • Opcode Fuzzy Hash: 71af080a618c80a249816e32e216cb01cf6b592e847fe6eaf9e621c5b0fc1753
                                                                                                                                                            • Instruction Fuzzy Hash: 05112C32FC1728B6FF2796459D0BFAF6924CB10B91F244116F704BA1D1E6F48D1095A6
                                                                                                                                                            Function 003F13DA Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 45libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32,00000000,003F15E3,?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F13ED
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F13F9
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 003F1444
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 003F1455
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressProc$ErrorHandleLastModule
                                                                                                                                                            • String ID: Failed to get module handle for kernel32.$SetDefaultDllDirectories$SetDllDirectoryW$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp$kernel32
                                                                                                                                                            • API String ID: 3392887714-1639946792
                                                                                                                                                            • Opcode ID: 0afd119a32d49778c36c08cc68db54cad37593078758117cac5edb64ce1c9e66
                                                                                                                                                            • Instruction ID: 579aec263fa4a0b21f457a4c106c3618921c8e0729ca740f76808cf957554b48
                                                                                                                                                            • Opcode Fuzzy Hash: 0afd119a32d49778c36c08cc68db54cad37593078758117cac5edb64ce1c9e66
                                                                                                                                                            • Instruction Fuzzy Hash: 56012BB2982334B7D36617277C0DBAE69689B45713F0205B6FE04BB1D2D37449009AE8
                                                                                                                                                            Function 00434A1B Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 177COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,00000000,?), ref: 00434A38
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 00434C1C
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to set download user., xrefs: 00434B65
                                                                                                                                                            • BA did not provide container or payload id., xrefs: 00434BF4
                                                                                                                                                            • Failed to set download URL., xrefs: 00434B31
                                                                                                                                                            • BA requested unknown payload with id: %ls, xrefs: 00434A9B
                                                                                                                                                            • user is active, cannot change user state., xrefs: 00434A50
                                                                                                                                                            • BA requested unknown container with id: %ls, xrefs: 00434AE3
                                                                                                                                                            • Failed to set download password., xrefs: 00434B99
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\externaluser.cpp, xrefs: 00434A62, 00434AF5, 00434C0B
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                            • String ID: BA did not provide container or payload id.$BA requested unknown container with id: %ls$BA requested unknown payload with id: %ls$user is active, cannot change user state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$d:\a\wix4\wix4\src\burn\user\externaluser.cpp
                                                                                                                                                            • API String ID: 3168844106-103459661
                                                                                                                                                            • Opcode ID: 208d9753d09ad128881bbe17e78425976e55634285a31f1cff93483f0c891f82
                                                                                                                                                            • Instruction ID: b2a719c03c657411e232a02b5e90dab070990dfa89228a9f2f2d27afe532e0d4
                                                                                                                                                            • Opcode Fuzzy Hash: 208d9753d09ad128881bbe17e78425976e55634285a31f1cff93483f0c891f82
                                                                                                                                                            • Instruction Fuzzy Hash: 25510971A40705BBDB21AA50CC45FEBB768AF88740F155123FA04AF2C1E778F950CBA9
                                                                                                                                                            Function 00422190 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 166registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,-80000001,56800040,00020019,00000001,003F6EDE,003F6DEA,00000000,003F6E32,003F6EDE,003F7162,003F6DEA), ref: 00422362
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to compare versions., xrefs: 004222DC
                                                                                                                                                            • QuietUninstallString, xrefs: 00422315
                                                                                                                                                            • Failed to open registry key: %ls., xrefs: 00422226
                                                                                                                                                            • Failed to read DisplayVersion., xrefs: 00422282
                                                                                                                                                            • DisplayVersion, xrefs: 00422256
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\exeuser.cpp, xrefs: 00422238, 0042234C
                                                                                                                                                            • Failed to read QuietUninstallString., xrefs: 0042233A
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: DisplayVersion$Failed to compare versions.$Failed to open registry key: %ls.$Failed to read DisplayVersion.$Failed to read QuietUninstallString.$QuietUninstallString$d:\a\wix4\wix4\src\burn\user\exeuser.cpp
                                                                                                                                                            • API String ID: 3535843008-915021512
                                                                                                                                                            • Opcode ID: fad01e5888f21a5f9b57ecb15214fbda8320f77763c8bef9fb6d1b0465b3d241
                                                                                                                                                            • Instruction ID: c0616350ce4850e2ef15e8c400e909585a33ddfa018da8cb6e2d7543bdb005f4
                                                                                                                                                            • Opcode Fuzzy Hash: fad01e5888f21a5f9b57ecb15214fbda8320f77763c8bef9fb6d1b0465b3d241
                                                                                                                                                            • Instruction Fuzzy Hash: 1A514631B40236FBDB218EA4DD42BABB6A4AB04700F55416AF904BB281D3FD9E50D698
                                                                                                                                                            Function 00456074 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 163registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,?,00000000), ref: 00456212
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to compare path from pending file rename to check path., xrefs: 00456221
                                                                                                                                                            • Failed to read pending file renames., xrefs: 00456114
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\file2utl.cpp, xrefs: 004561EC
                                                                                                                                                            • PendingFileRenameOperations, xrefs: 004560E8, 004561CA
                                                                                                                                                            • Failed to open pending file rename registry key., xrefs: 004560C7
                                                                                                                                                            • Failed to update pending file renames., xrefs: 004561DD
                                                                                                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00456085
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Failed to compare path from pending file rename to check path.$Failed to open pending file rename registry key.$Failed to read pending file renames.$Failed to update pending file renames.$PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\file2utl.cpp
                                                                                                                                                            • API String ID: 3535843008-1055086927
                                                                                                                                                            • Opcode ID: 627e81797915d60b472ea2dda966893667a34bb10749ac8c03257f880ff80e82
                                                                                                                                                            • Instruction ID: c008ebd0eda1b02512cb63132277bbb5ac3b3a773b535a0c2e86abb2cdaf1c49
                                                                                                                                                            • Opcode Fuzzy Hash: 627e81797915d60b472ea2dda966893667a34bb10749ac8c03257f880ff80e82
                                                                                                                                                            • Instruction Fuzzy Hash: 4051E730E40615BBDB21AE59CC41FBFBBB89F00702F56455BAD01BB393D6798E048B98
                                                                                                                                                            Function 00417460 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 153COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00405C41: CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,?,000000FF), ref: 00405C6E
                                                                                                                                                            • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,?,?,?,?,?,?,?,?), ref: 00417566
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareString
                                                                                                                                                            • String ID: Failed to find package: %ls$Failed to read compatible package id.$Failed to read package id.$Failed to remove from cache compatible package: %ls$Package '%ls' has no compatible package to clean.$Package '%ls' has no compatible package with id: %ls$d:\a\wix4\wix4\src\burn\user\elevation.cpp
                                                                                                                                                            • API String ID: 1825529933-529956491
                                                                                                                                                            • Opcode ID: 6fa14a10fc993b176f698b2bbe42ba6d61ff6bf64bafccf153043424ea476ff3
                                                                                                                                                            • Instruction ID: aea1b7f0879855f7d07151c35a9f383a9a7ca243454d049079f30f42d0fb8382
                                                                                                                                                            • Opcode Fuzzy Hash: 6fa14a10fc993b176f698b2bbe42ba6d61ff6bf64bafccf153043424ea476ff3
                                                                                                                                                            • Instruction Fuzzy Hash: 1A415C71A40249FBEF129A91CC46FEFBA79EB00710F104517FA04BA1D0E3B99E50D768
                                                                                                                                                            Function 00458464 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 133fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004539DD: SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0040CE21,?,00000000,00000000,00000000,00000000), ref: 004539F5
                                                                                                                                                              • Part of subcall function 004539DD: GetLastError.KERNEL32(?,?,?,0040CE21,?,00000000,00000000,00000000,00000000), ref: 004539FF
                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 004584E8
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: File$ErrorLastPointerWrite
                                                                                                                                                            • String ID: Failed to seek to start point in file.$Failed to write data from internet.$Failed while reading from internet.$UX aborted on cache progress.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                            • API String ID: 972348794-1106238538
                                                                                                                                                            • Opcode ID: 8de207669797b4095bc93c4514c2a3f315f2d3c021fe2dd669a7ae73628f8ccb
                                                                                                                                                            • Instruction ID: 240b882e9d18253eac6f6e87b9b1a77c952b6603ad89b718da48bcaf590ad014
                                                                                                                                                            • Opcode Fuzzy Hash: 8de207669797b4095bc93c4514c2a3f315f2d3c021fe2dd669a7ae73628f8ccb
                                                                                                                                                            • Instruction Fuzzy Hash: 3C410B72A4121DBBEB215E44DC45FAF7A68AF00752F11415ABE00BA182FF78DD14D7A8
                                                                                                                                                            Function 003F65B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 132COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F165F: WaitForMultipleObjects.KERNEL32(?,?,000000FF,00000000,00000000,?,?,0041EC52,00000002,000000FF,00000000,000000FF,?,?,00000000), ref: 003F1673
                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,00000002,?,00000000,000000FF,00000000), ref: 003F65FF
                                                                                                                                                            • ResetEvent.KERNEL32(?), ref: 003F6615
                                                                                                                                                            • GetLastError.KERNEL32 ref: 003F661F
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 003F6629
                                                                                                                                                              • Part of subcall function 0044B324: EnterCriticalSection.KERNEL32(0048D4F0,00000000,?,003F8067,00000000,00000000,?,?,?,?,?,?,?), ref: 0044B32E
                                                                                                                                                              • Part of subcall function 0044B324: LeaveCriticalSection.KERNEL32(0048D4F0,?,003F8067,00000000,00000000,?,?,?,?,?,?,?), ref: 0044B345
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave$ErrorEventLastMultipleObjectsResetWait
                                                                                                                                                            • String ID: Failed to reset log event.$Failed to wait for log thread events, signaled: %u.$Failed to wait log message over pipe.$d:\a\wix4\wix4\src\burn\user\user.cpp
                                                                                                                                                            • API String ID: 3117541546-2819198451
                                                                                                                                                            • Opcode ID: 65d57e3a8b9d1093985c5140a61a35727a481a51f36a69df6958b82eab5cf6ed
                                                                                                                                                            • Instruction ID: 0e67a5f8cc8d4c2554b01dac5f7e1c89ead524a9f023230cd2c1f58399596584
                                                                                                                                                            • Opcode Fuzzy Hash: 65d57e3a8b9d1093985c5140a61a35727a481a51f36a69df6958b82eab5cf6ed
                                                                                                                                                            • Instruction Fuzzy Hash: 7141EC31A40319B7EB22AFA68C47F7EB6B8EF14715F100115FB00B91C2D7B4D9508AD9
                                                                                                                                                            Function 004555DB Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 131registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00454F04: lstrlenW.KERNEL32(003F7162,003F6DEA,?,?,?,00455488,003F7162,003F6DEA,003F6EC2,003F6DEA,003F6DEA,?,?,?,00410D28,0D8C6817), ref: 00454F2A
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,0045E7E8,?,8000FFFF,8000FFFF,00020006,00000000,00000000,00000000,00000000,00000000,00000000,8000FFFF,?), ref: 00455735
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to set the %ls registry value to %d., xrefs: 00455710
                                                                                                                                                            • default, xrefs: 00455672
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 00455612, 0045571F
                                                                                                                                                            • Failed to allocate the registry key for dependency "%ls"., xrefs: 00455603
                                                                                                                                                            • version.dll, xrefs: 004555E1
                                                                                                                                                            • Failed to set the %ls registry value to "%ls"., xrefs: 00455677, 004556AB, 004556DC
                                                                                                                                                            • Failed to create the dependency registry key "%ls"., xrefs: 00455648
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Closelstrlen
                                                                                                                                                            • String ID: Failed to allocate the registry key for dependency "%ls".$Failed to create the dependency registry key "%ls".$Failed to set the %ls registry value to "%ls".$Failed to set the %ls registry value to %d.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp$default$version.dll
                                                                                                                                                            • API String ID: 3903209405-20855631
                                                                                                                                                            • Opcode ID: e20eae22e546723b8c38830a8530fa184e89291924946fa9a550e51ab80cd70e
                                                                                                                                                            • Instruction ID: d716d76b304c2dd2135f22d4c378e3dbf2babcddc805344fb7a48db311a64ecc
                                                                                                                                                            • Opcode Fuzzy Hash: e20eae22e546723b8c38830a8530fa184e89291924946fa9a550e51ab80cd70e
                                                                                                                                                            • Instruction Fuzzy Hash: 9A41F832A80B58FBEB227F958C56FAF7F75DB04B51F10012AFE0079192D2758D109B58
                                                                                                                                                            Function 004500B5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 112memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 004500C9
                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 004500D5
                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 004501C4
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 004501CF
                                                                                                                                                            Strings
                                                                                                                                                            • failed get_attributes, xrefs: 004500F8
                                                                                                                                                            • failed get_nodeValue in XmlGetAttribute(%ls), xrefs: 0045016F
                                                                                                                                                            • failed getNamedItem in XmlGetAttribute(%ls), xrefs: 00450131
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 00450107, 00450140
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: StringVariant$AllocClearFreeInit
                                                                                                                                                            • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed getNamedItem in XmlGetAttribute(%ls)$failed get_attributes$failed get_nodeValue in XmlGetAttribute(%ls)
                                                                                                                                                            • API String ID: 760788290-1291303398
                                                                                                                                                            • Opcode ID: ad8e09f490f811df6e72ab5004b31245ea3328ad385c9deb42f0c6792ea7524c
                                                                                                                                                            • Instruction ID: d57a6d2e5a388e0b95b2f254c89101d7d49c0ca72d3ea623d0e8b1814dc28f51
                                                                                                                                                            • Opcode Fuzzy Hash: ad8e09f490f811df6e72ab5004b31245ea3328ad385c9deb42f0c6792ea7524c
                                                                                                                                                            • Instruction Fuzzy Hash: C731FF79700708ABDB099F90CC09E6E3779AB84B02F10446AFD05AB2A2DB75DE45CB59
                                                                                                                                                            Function 003F643F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 112COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000105,00000000,00000000,00000105,00000000,00000000,00000000,?,?,?,003F47DC,?,00000000,00000000,00000000,0100147D), ref: 003F648B
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentDirectory
                                                                                                                                                            • String ID: Failed to allocate space for current directory.$Failed to get current directory.$Failed to get max length of input buffer.$Failed to reallocate space for current directory.$GetCurrentDirectoryW results never converged.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp
                                                                                                                                                            • API String ID: 1611563598-979167295
                                                                                                                                                            • Opcode ID: e4ce80d2acf6e7fee1f13fd5b68ed28ade3414ca7ed3ce5b9065641063ac784d
                                                                                                                                                            • Instruction ID: 6d18f1e9d57545fccf26e541f48ae074cd6a5d22e72444ec437240ebd1fa6a6c
                                                                                                                                                            • Opcode Fuzzy Hash: e4ce80d2acf6e7fee1f13fd5b68ed28ade3414ca7ed3ce5b9065641063ac784d
                                                                                                                                                            • Instruction Fuzzy Hash: 01313872B4132D77E7235A569C47FBF695C9B42B51F114026BF09FF281E2A4DC0086A5
                                                                                                                                                            Function 0040079A Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 107COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetFileAttributesW.KERNEL32(003F6CF2,00000000,7D8B5756,003F6CF2,00000000,003F7162,003F7162,003F6DEA,00000000,003F7162,00000000,003F6DEA,003F6CF2,003F7162,003F6DEA,003F6EDE), ref: 00400814
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040081F
                                                                                                                                                            Strings
                                                                                                                                                            • Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 004008AC
                                                                                                                                                            • Failed to format variable string., xrefs: 004007FD
                                                                                                                                                            • Failed to initialize file search., xrefs: 004007C3
                                                                                                                                                            • Failed to set directory search path variable., xrefs: 00400850
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\search.cpp, xrefs: 004007D5, 00400897
                                                                                                                                                            • Failed while searching directory search: %ls, for path: %ls, xrefs: 00400885
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AttributesErrorFileLast
                                                                                                                                                            • String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to initialize file search.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls$d:\a\wix4\wix4\src\burn\user\search.cpp
                                                                                                                                                            • API String ID: 1799206407-3281098314
                                                                                                                                                            • Opcode ID: 4b98822c994320e213454382cefdf82473c0f2888697d3800e464aa4e95f52c5
                                                                                                                                                            • Instruction ID: aca7de17b9c849e0f0c5450bf56f2079c9ca17978eb9a88be7fe19ca53385ed5
                                                                                                                                                            • Opcode Fuzzy Hash: 4b98822c994320e213454382cefdf82473c0f2888697d3800e464aa4e95f52c5
                                                                                                                                                            • Instruction Fuzzy Hash: 0F312C33D40629B7DB126A958C47FAFBA28BF00B20F214133F9447A1D1F3799D109ADA
                                                                                                                                                            Function 00457606 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 106COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,00429860,00000000,?), ref: 0045761D
                                                                                                                                                            • GetLastError.KERNEL32(?,?,00429860,00000000,?,?,?,?,?,?,?,?,?,00429D0A,?,?), ref: 0045762B
                                                                                                                                                              • Part of subcall function 003F540B: GetProcessHeap.KERNEL32(?,?,?,0041DDCD,?,00000000), ref: 003F541C
                                                                                                                                                              • Part of subcall function 003F540B: RtlAllocateHeap.NTDLL(00000000,?,0041DDCD,?,00000000), ref: 003F5423
                                                                                                                                                            • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,00429860,00000000,?), ref: 00457682
                                                                                                                                                            • GetLastError.KERNEL32(?,?,00429860,00000000,?,?,?,?,?,?,?,?,?,00429D0A,?,?), ref: 0045768C
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConfigErrorHeapLastQueryService$AllocateProcess
                                                                                                                                                            • String ID: Failed to allocate memory to get configuration.$Failed to query service configuration.$Failed to read service configuration.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\svcutil.cpp
                                                                                                                                                            • API String ID: 355237494-3172380343
                                                                                                                                                            • Opcode ID: 1b4ee119a2888a5ece3dbdb292e1a8a410fa2b51122ac1004561f81b29a65148
                                                                                                                                                            • Instruction ID: 8be0d826d10755278402c0ccf366d6a51add7f5cc59220efd5acc7921ef3d166
                                                                                                                                                            • Opcode Fuzzy Hash: 1b4ee119a2888a5ece3dbdb292e1a8a410fa2b51122ac1004561f81b29a65148
                                                                                                                                                            • Instruction Fuzzy Hash: 13314E36701735B7E72226D5BC49F7F691CDB05BA1F110036FF04BE282E2589D0496E8
                                                                                                                                                            Function 00400A29 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 104COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetFileAttributesW.KERNEL32(003F6CF2,00000000,7D8B5756,003F6CF2,00000000,003F7162,003F7162,003F6DEA,00000000,003F7162,00000000,003F6DEA,003F6CF2), ref: 00400AA3
                                                                                                                                                            • GetLastError.KERNEL32 ref: 00400AAE
                                                                                                                                                            Strings
                                                                                                                                                            • Failed while searching file search: %ls, for path: %ls, xrefs: 00400ADC
                                                                                                                                                            • Failed to format variable string., xrefs: 00400A8C
                                                                                                                                                            • File search: %ls, did not find path: %ls, xrefs: 00400B33
                                                                                                                                                            • Failed to initialize file search., xrefs: 00400A52
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\search.cpp, xrefs: 00400A64, 00400AEE
                                                                                                                                                            • Failed to set variable to file search path., xrefs: 00400B17
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AttributesErrorFileLast
                                                                                                                                                            • String ID: Failed to format variable string.$Failed to initialize file search.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls$d:\a\wix4\wix4\src\burn\user\search.cpp
                                                                                                                                                            • API String ID: 1799206407-4156759458
                                                                                                                                                            • Opcode ID: 5bb57b754c73084364c67d727eb43a90e9eb3472287adac0d8976f933d5511aa
                                                                                                                                                            • Instruction ID: 6f3e97264bdb54d31a6996b73b641e42d33e48aac94015ae7f2f7d0bde6e2bd0
                                                                                                                                                            • Opcode Fuzzy Hash: 5bb57b754c73084364c67d727eb43a90e9eb3472287adac0d8976f933d5511aa
                                                                                                                                                            • Instruction Fuzzy Hash: 44314D32E40729B7DB135AD58C07FAFBA78AF04714F114123FA047A1D1E379AE509ADA
                                                                                                                                                            Function 00436302 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97synchronizationCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,?,00000000,08000000,00000000,00000000,?,?,?,?,?), ref: 0043631B
                                                                                                                                                            • ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00436333
                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0043637E
                                                                                                                                                            • ReleaseMutex.KERNEL32(?), ref: 00436395
                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 0043639E
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\netfxchainer.cpp, xrefs: 00436401
                                                                                                                                                            • Failed to get message from netfx chainer., xrefs: 004363BF
                                                                                                                                                            • Failed to send files in use message from netfx chainer., xrefs: 004363EF
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: MutexObjectReleaseSingleWait$Event
                                                                                                                                                            • String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.$d:\a\wix4\wix4\src\burn\user\netfxchainer.cpp
                                                                                                                                                            • API String ID: 2608678126-3113603724
                                                                                                                                                            • Opcode ID: 20e08007211d9ac420f207c742db5fc626a7e678faa696e1e4de20d56988c4fa
                                                                                                                                                            • Instruction ID: e7098c86b8d9cd2fbad553e02a9ff699106cacd4fdb6c397f837924e9500bc99
                                                                                                                                                            • Opcode Fuzzy Hash: 20e08007211d9ac420f207c742db5fc626a7e678faa696e1e4de20d56988c4fa
                                                                                                                                                            • Instruction Fuzzy Hash: 70310771A0021ABFCB159F55CC49EEEBFB8EF18720F118266F914A6292C774DA10CB94
                                                                                                                                                            Function 0041EC24 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 94threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F165F: WaitForMultipleObjects.KERNEL32(?,?,000000FF,00000000,00000000,?,?,0041EC52,00000002,000000FF,00000000,000000FF,?,?,00000000), ref: 003F1673
                                                                                                                                                            • GetExitCodeThread.KERNEL32(0045E7E8,?,00000002,000000FF,00000000,000000FF,?,?,00000000), ref: 0041EC94
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041ECA2
                                                                                                                                                            • ResetEvent.KERNEL32(0045E7C0,00000002,000000FF,00000000,000000FF,?,?,00000000), ref: 0041ECDF
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0041ECE9
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
                                                                                                                                                            • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$d:\a\wix4\wix4\src\burn\user\cabextract.cpp
                                                                                                                                                            • API String ID: 2979751695-3676338304
                                                                                                                                                            • Opcode ID: 4ed381282b8175b32360d8732310960754f79ab3062621493fca67a4a2f73754
                                                                                                                                                            • Instruction ID: 02461bf090aa8361e8fa4a00468213489591275089e5893ca9f20945aa7770b3
                                                                                                                                                            • Opcode Fuzzy Hash: 4ed381282b8175b32360d8732310960754f79ab3062621493fca67a4a2f73754
                                                                                                                                                            • Instruction Fuzzy Hash: 8431A475A40216BBD700DF6BDD05FEFB6FCEB04700F10456AF949E6250E678DA409B68
                                                                                                                                                            Function 00409839 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 74registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00407CE9: lstrlenA.KERNEL32(?,00000000,?,00000000,?,?,?,?,swidtag,?,?,?,?,00000000), ref: 00407D78
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,003F6DA2,00000002,00000001,00000000,00000000,?,?,?,?,?,?,00412F8D,003F6DA2,00000001,00000001), ref: 0040997D
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Closelstrlen
                                                                                                                                                            • String ID: %04u%02u%02u$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$InstallDate$d:\a\wix4\wix4\src\burn\user\registration.cpp
                                                                                                                                                            • API String ID: 3903209405-1589291871
                                                                                                                                                            • Opcode ID: 02deb8af6d3404d47317cf11cf82c373da934cd70a43cd1cd88eb2ca3cc60cef
                                                                                                                                                            • Instruction ID: c2aa22e7b93fbf096a692fa4e11a6be5137b0524ac80e1f91568b66e6420392f
                                                                                                                                                            • Opcode Fuzzy Hash: 02deb8af6d3404d47317cf11cf82c373da934cd70a43cd1cd88eb2ca3cc60cef
                                                                                                                                                            • Instruction Fuzzy Hash: 3A21EB71E40315B6DB22A651CC4AFBF7A689B04B05F14017BFA04B53C2D6BC9E40C7AA
                                                                                                                                                            Function 003FA669 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 116stringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • lstrlenW.KERNEL32(00000000), ref: 003FA67C
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: lstrlen
                                                                                                                                                            • String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 1659193697-948137518
                                                                                                                                                            • Opcode ID: 41858bc9963d5673c4533adc799af9aed69d307b513b53ddd11761eb2ed342e8
                                                                                                                                                            • Instruction ID: 2efcc4dbdadb2bb81ebdcdc426a00a8a2c59b2c9320fa47bf6e82216b4068cb0
                                                                                                                                                            • Opcode Fuzzy Hash: 41858bc9963d5673c4533adc799af9aed69d307b513b53ddd11761eb2ed342e8
                                                                                                                                                            • Instruction Fuzzy Hash: 53313BB2E81B1CB7EB2366908C47FFF7A7C8B01B51F210112B744BA1C0E6E49E449696
                                                                                                                                                            Function 0043A271 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • type_info::operator==.LIBVCRUNTIME ref: 0043A390
                                                                                                                                                            • ___TypeMatch.LIBVCRUNTIME ref: 0043A49E
                                                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 0043A5F0
                                                                                                                                                            • CallUnexpected.LIBVCRUNTIME ref: 0043A60B
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                            • API String ID: 2751267872-393685449
                                                                                                                                                            • Opcode ID: 5198368addb7a2e208b5367af5f7035b93a0c01e83e93bb1a0f6b9adcc8eec89
                                                                                                                                                            • Instruction ID: f0de82b15b9c8783172df132c5250620a5af0b13543a2408f965fe933637938a
                                                                                                                                                            • Opcode Fuzzy Hash: 5198368addb7a2e208b5367af5f7035b93a0c01e83e93bb1a0f6b9adcc8eec89
                                                                                                                                                            • Instruction Fuzzy Hash: DAB1BC71840209EFCF19DFA5C8459AEBBB5BF08314F14605BE8916B302D379DE61CB9A
                                                                                                                                                            Function 0042840B Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 245COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(00000000,00000000,0045E860,000000FF,00000000,000000FF,00000000,00000000,?,003F6CF2,00000000), ref: 00428482
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\mspuser.cpp, xrefs: 00428541
                                                                                                                                                            • Failed to grow array of ordered patches., xrefs: 0042864E
                                                                                                                                                            • Failed to plan action for target product., xrefs: 0042852F
                                                                                                                                                            • Failed to get msp ui options., xrefs: 004285F5
                                                                                                                                                            • Failed to insert execute action., xrefs: 004284E7
                                                                                                                                                            • Failed to copy target product code., xrefs: 004285AD
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareString
                                                                                                                                                            • String ID: Failed to copy target product code.$Failed to get msp ui options.$Failed to grow array of ordered patches.$Failed to insert execute action.$Failed to plan action for target product.$d:\a\wix4\wix4\src\burn\user\mspuser.cpp
                                                                                                                                                            • API String ID: 1825529933-3199010431
                                                                                                                                                            • Opcode ID: ebec949c03366c416ce81e226a9867476f280369bb9ee8ac3a839138d5a9fd33
                                                                                                                                                            • Instruction ID: b788e482cffbb47da5b95ced77085ddda38d6a3f2d1c6588e68ccc6386b94ef8
                                                                                                                                                            • Opcode Fuzzy Hash: ebec949c03366c416ce81e226a9867476f280369bb9ee8ac3a839138d5a9fd33
                                                                                                                                                            • Instruction Fuzzy Hash: CBA16975B01215EFCB15CF54D981EAEB7B4EF08314F6141AAE905AB382DB34EE41CB98
                                                                                                                                                            Function 003FC5DE Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 152COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,00000001,00000000,?,00000000,?,7FFFFFFF,00000000,00000001,7FFFFFFF,00000000,00000009,00000000,feclient.dll,?), ref: 003FC6C7
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,00000001,00000000,?,00000000,?,7FFFFFFF,00000000,00000001,7FFFFFFF,00000000,00000009,00000000,feclient.dll,?), ref: 003FC72F
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,00000001,00000000,?,00000000,?,7FFFFFFF,00000000,00000001,7FFFFFFF,00000000,00000009,00000000,feclient.dll,?), ref: 003FC763
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareString
                                                                                                                                                            • String ID: Failed to get length of left string: %ls$Failed to get length of right string: %ls$d:\a\wix4\wix4\src\burn\user\condition.cpp$feclient.dll
                                                                                                                                                            • API String ID: 1825529933-1973728300
                                                                                                                                                            • Opcode ID: 51436eba74d9c661e88ea58835914b86d20928353fffa1279b56b38b66f823f3
                                                                                                                                                            • Instruction ID: 83017fa1916b1736e1628afb9560740249038f7a98beae68ece6134be5ae8dc2
                                                                                                                                                            • Opcode Fuzzy Hash: 51436eba74d9c661e88ea58835914b86d20928353fffa1279b56b38b66f823f3
                                                                                                                                                            • Instruction Fuzzy Hash: 7E51A93695010DFFDF03AE98CE40EBEB679EB04310F255025FA65EA250C3718E549BA0
                                                                                                                                                            Function 0045546B Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 135registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00454F04: lstrlenW.KERNEL32(003F7162,003F6DEA,?,?,?,00455488,003F7162,003F6DEA,003F6EC2,003F6DEA,003F6DEA,?,?,?,00410D28,0D8C6817), ref: 00454F2A
                                                                                                                                                            • RegCloseKey.ADVAPI32(003F6EDE,003F6DEA,003F6DEA,00020019,003F6EDE,003F7162,003F6DEA,003F6EC2,003F6DEA,003F6DEA,?,?,?,00410D28,0D8C6817,8B000137), ref: 004555BC
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to get the version for the dependency "%ls"., xrefs: 0045559B
                                                                                                                                                            • Failed to open the registry key for the dependency "%ls"., xrefs: 004554D8
                                                                                                                                                            • Failed to get the id for the dependency "%ls"., xrefs: 00455521
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 004555A7
                                                                                                                                                            • Failed to get the name for the dependency "%ls"., xrefs: 0045555E
                                                                                                                                                            • Failed to allocate the registry key for dependency "%ls"., xrefs: 0045548F
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Closelstrlen
                                                                                                                                                            • String ID: Failed to allocate the registry key for dependency "%ls".$Failed to get the id for the dependency "%ls".$Failed to get the name for the dependency "%ls".$Failed to get the version for the dependency "%ls".$Failed to open the registry key for the dependency "%ls".$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp
                                                                                                                                                            • API String ID: 3903209405-4075874421
                                                                                                                                                            • Opcode ID: 8aa6fc3c3c314ae7aec24afbdc863db667dec020d896d8e8748431790eaa9a96
                                                                                                                                                            • Instruction ID: 4fb3671c3c1a9132fe2d7adc15ef340dd4bd689a5a9553fc7476744ba5e3513e
                                                                                                                                                            • Opcode Fuzzy Hash: 8aa6fc3c3c314ae7aec24afbdc863db667dec020d896d8e8748431790eaa9a96
                                                                                                                                                            • Instruction Fuzzy Hash: FD412932941A69F7DF316A948C96F7F7E259B00722F15012BFE007B242E27D4E4496D9
                                                                                                                                                            Function 00453275 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 129COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • MoveFileExW.KERNEL32(?,?,00000000,80004005,?,?,?,00453404,?,?,00000000,?,?,00000000), ref: 00453294
                                                                                                                                                            • GetLastError.KERNEL32(00000000,?,?,00453404,?,?,00000000,?,?,00000000,?,?,0040C66A,?,?,00000001), ref: 004532A3
                                                                                                                                                              • Part of subcall function 0045343B: FindFirstFileW.KERNEL32(003F6DEA,?,003F6DEA,003F6DEA,00000000), ref: 00453476
                                                                                                                                                              • Part of subcall function 0045343B: FindClose.KERNEL32(00000000), ref: 00453482
                                                                                                                                                            • MoveFileExW.KERNEL32(?,?,00000000,?,00000000,?,?,00453404,?,?,00000000,?,?,00000000), ref: 0045335E
                                                                                                                                                            • GetLastError.KERNEL32(?,?,00453404,?,?,00000000,?,?,00000000,?,?,0040C66A,?,?,00000001,00000001), ref: 00453368
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: File$ErrorFindLastMove$CloseFirst
                                                                                                                                                            • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp$failed to create directory while moving file: '%ls' to: '%ls'$failed to move file: '%ls' to: '%ls'
                                                                                                                                                            • API String ID: 3479031965-4053860161
                                                                                                                                                            • Opcode ID: 9a0bbfcd790588d4e9378588d22b526be7554c5ead42bfe685e3358cc0d81952
                                                                                                                                                            • Instruction ID: c0997cf72b12cccf03a90caf7b1470dde246f01e957a03ecdbe70809351c8403
                                                                                                                                                            • Opcode Fuzzy Hash: 9a0bbfcd790588d4e9378588d22b526be7554c5ead42bfe685e3358cc0d81952
                                                                                                                                                            • Instruction Fuzzy Hash: 4E312336640729B7DB221E558C01BAF7659AF41BE3F114067FD04AB292DA78CF0587D8
                                                                                                                                                            Function 00409996 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 121registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,003F6CF2,00000000,00000000,00000001,00000000,00000000,00000390,000000F8,003F6CF2,004131C1,00000000,00000000,8D18C483,5350F845,00020006), ref: 00409A73
                                                                                                                                                              • Part of subcall function 00407A4E: RegCloseKey.ADVAPI32(00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000), ref: 00407CDA
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to delete registration key: %ls, xrefs: 004099FE
                                                                                                                                                            • Failed to update estimated size., xrefs: 00409AFA
                                                                                                                                                            • Failed to update resume mode., xrefs: 00409A4B
                                                                                                                                                            • Failed to update name and publisher., xrefs: 00409ACB
                                                                                                                                                            • Failed to open registration key., xrefs: 00409A9B
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\registration.cpp, xrefs: 00409A10, 00409A5D
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Failed to delete registration key: %ls$Failed to open registration key.$Failed to update estimated size.$Failed to update name and publisher.$Failed to update resume mode.$d:\a\wix4\wix4\src\burn\user\registration.cpp
                                                                                                                                                            • API String ID: 3535843008-4174111784
                                                                                                                                                            • Opcode ID: 67b78be20961ddce24bfa082bbc3c5f45951dce105c3557a25aa34c9172b78fb
                                                                                                                                                            • Instruction ID: 0ce2d6420dbfc728baaf8d19893fc9196a4d138e6b13da137e5996d35b39ecdb
                                                                                                                                                            • Opcode Fuzzy Hash: 67b78be20961ddce24bfa082bbc3c5f45951dce105c3557a25aa34c9172b78fb
                                                                                                                                                            • Instruction Fuzzy Hash: D1312832740265BBDF235E618C06FAF7A24AB04750F100126FA00751D2D3B9AD60EACA
                                                                                                                                                            Function 0041063D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to add "%ls" to the list of dependencies to ignore., xrefs: 0041074E
                                                                                                                                                            • Failed to create the string dictionary., xrefs: 00410664
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\dependency.cpp, xrefs: 00410676, 004106C3, 00410760
                                                                                                                                                            • Failed to add "%ls" to the string dictionary., xrefs: 0041073A
                                                                                                                                                            • Failed to check the dictionary of unique dependencies., xrefs: 004106B1
                                                                                                                                                            • ALL, xrefs: 00410702
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: ALL$Failed to add "%ls" to the list of dependencies to ignore.$Failed to add "%ls" to the string dictionary.$Failed to check the dictionary of unique dependencies.$Failed to create the string dictionary.$d:\a\wix4\wix4\src\burn\user\dependency.cpp
                                                                                                                                                            • API String ID: 0-461799926
                                                                                                                                                            • Opcode ID: 0069bab8cae606b88d4ef3f9dc5b289258f379b8077ee82838c77fd850fc68e8
                                                                                                                                                            • Instruction ID: 1fc4e333f34bd0887c527c423b54805c327b442654d9eeda10bc44da5e78e132
                                                                                                                                                            • Opcode Fuzzy Hash: 0069bab8cae606b88d4ef3f9dc5b289258f379b8077ee82838c77fd850fc68e8
                                                                                                                                                            • Instruction Fuzzy Hash: 1B313371A41328B6EB3176554C47FEF39648B41B25F200217FA55BD1C2F1F86DC08AAE
                                                                                                                                                            Function 004202E1 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 111registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,-80000001,?,00020019,?,?,?,00000000,?,?,?,?,00420576,?,00000000,8000FFFF), ref: 00420415
                                                                                                                                                            Strings
                                                                                                                                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0042033A
                                                                                                                                                            • QuietUninstallString, xrefs: 004203C6
                                                                                                                                                            • Failed to open registry key: %ls., xrefs: 0042039B
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\bundlepackageuser.cpp, xrefs: 004203AD, 004203FF
                                                                                                                                                            • Failed to build full key path., xrefs: 0042034A
                                                                                                                                                            • Failed to read QuietUninstallString., xrefs: 004203ED
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Failed to build full key path.$Failed to open registry key: %ls.$Failed to read QuietUninstallString.$QuietUninstallString$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$d:\a\wix4\wix4\src\burn\user\bundlepackageuser.cpp
                                                                                                                                                            • API String ID: 3535843008-1706903631
                                                                                                                                                            • Opcode ID: 1c75bca1d1f67ac51baeded6c5a0f4956e0aa37f2a830e8957980970ca1bbfd1
                                                                                                                                                            • Instruction ID: 132b27fe4896fed1932d55bb3ba6fda2eb37559c5ca712fe6e095ac4e0d6e54a
                                                                                                                                                            • Opcode Fuzzy Hash: 1c75bca1d1f67ac51baeded6c5a0f4956e0aa37f2a830e8957980970ca1bbfd1
                                                                                                                                                            • Instruction Fuzzy Hash: 4D313932B40336FFDB219E549C42F9FBBE49F04700F55812BFD45B6282D2B89D509699
                                                                                                                                                            Function 004573A0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 108registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp,0000011E,80070057,?,?,?), ref: 004574BC
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: An invalid parameter was passed to the function.$Failed to locate and query bundle variable.$Failed to read string shared variable.$Reading bundle variable of type 0x%x not implemented.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp$variables
                                                                                                                                                            • API String ID: 3535843008-2641142750
                                                                                                                                                            • Opcode ID: 0018e123c418a34469aea1287a460a58249c1e99584f5e092632933f1ba40103
                                                                                                                                                            • Instruction ID: 8653008acea095783bc091ea52c2d2c97c2b8c7acf79a0b56f07275975a9c006
                                                                                                                                                            • Opcode Fuzzy Hash: 0018e123c418a34469aea1287a460a58249c1e99584f5e092632933f1ba40103
                                                                                                                                                            • Instruction Fuzzy Hash: E4315B32E44218B7DB215D95AC45FAF7E3DDB02751F11803BBE04BA282D27D8E0487A8
                                                                                                                                                            Function 003F5810 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,?,?,003F1CD0,?,00000105,00000000,?,00000000,?,?), ref: 003F5832
                                                                                                                                                            • HeapReAlloc.KERNEL32(00000000,?,003F1CD0,?,00000105,00000000,?,00000000,?,?,?,?,003F29D8,?,?,00000000), ref: 003F5839
                                                                                                                                                              • Part of subcall function 003F540B: GetProcessHeap.KERNEL32(?,?,?,0041DDCD,?,00000000), ref: 003F541C
                                                                                                                                                              • Part of subcall function 003F540B: RtlAllocateHeap.NTDLL(00000000,?,0041DDCD,?,00000000), ref: 003F5423
                                                                                                                                                            • _memcpy_s.LIBCMT ref: 003F58BD
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$AllocAllocate_memcpy_s
                                                                                                                                                            • String ID: Failed to get current memory size.$Failed to get new memory size.$Failed to reallocate memory$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\memutil.cpp
                                                                                                                                                            • API String ID: 3866612605-1266056832
                                                                                                                                                            • Opcode ID: 4fed06f6ab38cf1ddd137486d478a8a8b56323418f8bb5e695cc7958900ea6c4
                                                                                                                                                            • Instruction ID: 75a823c0bd0ea651c32060fcde62efa5e55861476142765f4b6405b0afd7a01f
                                                                                                                                                            • Opcode Fuzzy Hash: 4fed06f6ab38cf1ddd137486d478a8a8b56323418f8bb5e695cc7958900ea6c4
                                                                                                                                                            • Instruction Fuzzy Hash: 6331E732640B0DFBEB13AE54DC45FBF3A699B41791F114021FB04AE152E7B5CD11A791
                                                                                                                                                            Function 0044C3C7 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 100registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegSetValueExW.ADVAPI32(?,?,0044D811,003F6CF2,004131C1,004131C1,00000001,?,004079A8,004131C1,DisplayName,00000000,003F6CF2,004131C1,00000000,003F6CF2), ref: 0044C42D
                                                                                                                                                            • RegDeleteValueW.ADVAPI32(?,?,0044D811,003F6CF2,004131C1,004131C1,00000001,?,004079A8,004131C1,DisplayName,00000000,003F6CF2,004131C1,00000000,003F6CF2), ref: 0044C47F
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value$Delete
                                                                                                                                                            • String ID: DisplayName$Failed to delete registry value: %ls$Failed to determine length of registry value: %ls$Failed to set registry value: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 1738766685-322587201
                                                                                                                                                            • Opcode ID: 661a7e6ebac9260dbd6426c5201e075bb22c3633e2d29574b7f5def9db200a6e
                                                                                                                                                            • Instruction ID: 30a917b0107f3cbec35ee28f7341dd663201f624e3fd521dbe8d6006c42e0568
                                                                                                                                                            • Opcode Fuzzy Hash: 661a7e6ebac9260dbd6426c5201e075bb22c3633e2d29574b7f5def9db200a6e
                                                                                                                                                            • Instruction Fuzzy Hash: B2217B36202229B7FB115E118E55FBF2A69DB85720F294426FE04AB390E678CC02877C
                                                                                                                                                            Function 0044997A Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 83COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CommandLineToArgvW.SHELL32(00000000,003F6570,00000000,003F6570,00000000,00000000,ignored ,00000000,00000000,00000000,?,?,?,003F7B19,00000000,?), ref: 004499E1
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,003F7B19,00000000,?,?,00000003,00000000,003F6570,00000000,?,?,?,?,?), ref: 004499EB
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ArgvCommandErrorLastLine
                                                                                                                                                            • String ID: Failed to copy command line.$Failed to initialize command line.$Failed to parse command line.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\app2util.cpp$ignored
                                                                                                                                                            • API String ID: 3459693003-1494111247
                                                                                                                                                            • Opcode ID: 7c05521a862229e2c984687a4706ba9d0d8f0ec74b04b353dc5ddc72e6510eac
                                                                                                                                                            • Instruction ID: d1f231e249ae7a6f96c66315e7a2259dce590d2aebdad035f374f1ec6ea43237
                                                                                                                                                            • Opcode Fuzzy Hash: 7c05521a862229e2c984687a4706ba9d0d8f0ec74b04b353dc5ddc72e6510eac
                                                                                                                                                            • Instruction Fuzzy Hash: ED210A71A41228FBE7219B858C0FFAF7A6CEB45B50F114057FE04BB391E6748E01E698
                                                                                                                                                            Function 004531AD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 0045343B: FindFirstFileW.KERNEL32(003F6DEA,?,003F6DEA,003F6DEA,00000000), ref: 00453476
                                                                                                                                                              • Part of subcall function 0045343B: FindClose.KERNEL32(00000000), ref: 00453482
                                                                                                                                                            • SetFileAttributesW.KERNEL32(0042E626,00000080,00000000,0042E626,000000FF,00000000,00000000,?,?,0042E626), ref: 004531E0
                                                                                                                                                            • GetLastError.KERNEL32(?,?,0042E626), ref: 004531EA
                                                                                                                                                            • DeleteFileW.KERNEL32(0042E626,00000000,0042E626,000000FF,00000000,00000000,?,?,0042E626), ref: 00453223
                                                                                                                                                            • GetLastError.KERNEL32(?,?,0042E626), ref: 0045322D
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
                                                                                                                                                            • String ID: Failed to delete file: %ls$Failed to remove attributes from file: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                            • API String ID: 3967264933-3778428042
                                                                                                                                                            • Opcode ID: 231556e3f3319dd5e0a9d698e83ab795c5ebea671da10f10c207b85a6cbe48f8
                                                                                                                                                            • Instruction ID: 3067064645dec60a5b6271704fdc733dec20222e608092ac231ead124dc52981
                                                                                                                                                            • Opcode Fuzzy Hash: 231556e3f3319dd5e0a9d698e83ab795c5ebea671da10f10c207b85a6cbe48f8
                                                                                                                                                            • Instruction Fuzzy Hash: 3B112C73A4173572D3315A5A9C06F6FA95C8F01BD3F014156FD08F62C2D658CF0085E9
                                                                                                                                                            Function 0041E2B8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75timeCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 0041E336
                                                                                                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0041E348
                                                                                                                                                            • SetFileTime.KERNEL32(?,?,?,?), ref: 0041E35B
                                                                                                                                                            • CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0041DE6A,?,?), ref: 0041E36A
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Time$File$CloseDateHandleLocal
                                                                                                                                                            • String ID: Invalid operation for this state.$d:\a\wix4\wix4\src\burn\user\cabextract.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 609741386-1862395497
                                                                                                                                                            • Opcode ID: 8fe819cef38f73abfdb97b4e9b1d2bd26097b4dc63f3c96dc17aafb3f059ea0d
                                                                                                                                                            • Instruction ID: ef7d80361f618d6142793d25b9bfad495479ffc864ba662b6f6ffac6dacc9a23
                                                                                                                                                            • Opcode Fuzzy Hash: 8fe819cef38f73abfdb97b4e9b1d2bd26097b4dc63f3c96dc17aafb3f059ea0d
                                                                                                                                                            • Instruction Fuzzy Hash: 7521C27280061DBBCB10DF6ADD489EABBACFB08710B504216FD65E71D1D378EA50CB98
                                                                                                                                                            Function 00451B2C Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 67libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetProcAddress.KERNEL32(PathAllocCanonicalize,api-ms-win-core-path-l1-1-0.dll), ref: 00451B7E
                                                                                                                                                            • GetLastError.KERNEL32(?,?,00451D45,00000000,00000001,00000003,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00451B8D
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressErrorLastProc
                                                                                                                                                            • String ID: Failed to get address of PathAllocCanonicalize.$Failed to load api-ms-win-core-path-l1-1-0.dll$PathAllocCanonicalize$api-ms-win-core-path-l1-1-0.dll$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp
                                                                                                                                                            • API String ID: 199729137-1104870970
                                                                                                                                                            • Opcode ID: 7b91f5d3df5ff08b7a564c536778b8d7ba855db801cf17bd3dd2e4ed68b00718
                                                                                                                                                            • Instruction ID: 29bd8cdeec71aad960a17327fe5ed9ce5f9dba79aae563055e40d0f41e9f8c77
                                                                                                                                                            • Opcode Fuzzy Hash: 7b91f5d3df5ff08b7a564c536778b8d7ba855db801cf17bd3dd2e4ed68b00718
                                                                                                                                                            • Instruction Fuzzy Hash: 4D11B232A8222272E73522556C4AF2B59445794B62F214A2BBD05BA2E3F19C9C0543DC
                                                                                                                                                            Function 0044E087 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 65libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F1839: LoadLibraryExW.KERNEL32(?,00000000,00000800,00000000,?,003F1645,?,?,?,?,?,?,003F115A,cabinet.dll,00000009,?), ref: 003F1855
                                                                                                                                                              • Part of subcall function 003F1839: GetLastError.KERNEL32(?,003F1645,?,?,?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F1866
                                                                                                                                                            • GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 0044E0B5
                                                                                                                                                            • GetLastError.KERNEL32(?,003F6FBB,00000001,?,?,Function_000069E0,?), ref: 0044E0C4
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$AddressLibraryLoadProc
                                                                                                                                                            • String ID: Failed to find set restore point proc address.$Failed to initialize security for COM to talk to system restore.$SRSetRestorePointW$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\srputil.cpp$srclient.dll
                                                                                                                                                            • API String ID: 1866314245-3391705418
                                                                                                                                                            • Opcode ID: 6442768dd5888f835e095bff954acb4cbfb75cd314eb7f0f2fd49c92a86e9847
                                                                                                                                                            • Instruction ID: 63f293fd4d7b3fdd605ce02458dc6d27a2c1a97e97eb6d0d0c15d7abf03a67e8
                                                                                                                                                            • Opcode Fuzzy Hash: 6442768dd5888f835e095bff954acb4cbfb75cd314eb7f0f2fd49c92a86e9847
                                                                                                                                                            • Instruction Fuzzy Hash: 1A11E332EC267972F2323A569D0BB2F6944AB10B61F060937FE047E3C1E5E8D84092DD
                                                                                                                                                            Function 0044B700 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 55libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,003F6DEA,00000000,?,00400CFC,003F6DEE,003F6DEA,?,0040066B,003F7162,003F7162,003F6DEA,00000000,003F7162,00000000), ref: 0044B711
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0044B718
                                                                                                                                                            • GetLastError.KERNEL32(?,00400CFC,003F6DEE,003F6DEA,?,0040066B,003F7162,003F7162,003F6DEA,00000000,003F7162,00000000,003F6DEA,003F6CF2,003F7162,003F6DEA), ref: 0044B741
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressErrorHandleLastModuleProc
                                                                                                                                                            • String ID: Failed to disable file system redirection.$Wow64DisableWow64FsRedirection$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp$kernel32
                                                                                                                                                            • API String ID: 4275029093-2679686115
                                                                                                                                                            • Opcode ID: 5fb333f675f2251e59a1e6605393ed8bb21de7f04d2b16eac916779b62da9ac2
                                                                                                                                                            • Instruction ID: f7c599a924d8c3f92dce641ff80312d9f8159b249868b768b7d6100e900dbff7
                                                                                                                                                            • Opcode Fuzzy Hash: 5fb333f675f2251e59a1e6605393ed8bb21de7f04d2b16eac916779b62da9ac2
                                                                                                                                                            • Instruction Fuzzy Hash: 56012877A0072873E22127969C49F6FA55CCB80761F014123FE04AB241E76CCD0142E9
                                                                                                                                                            Function 003F6BE8 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 49COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32 ref: 003F6BE8
                                                                                                                                                            • DeleteCriticalSection.KERNEL32(00000000,000000B0,00000000,000000B0,00000000,00000000,000000FF,000000B0,000000B0,00000000,00000010,00000000), ref: 003F6DBC
                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003F6DCB
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseCriticalDeleteErrorHandleLastSection
                                                                                                                                                            • String ID: Failed to create semaphore for queue.$PhPg?$d:\a\wix4\wix4\src\burn\user\user.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 596325006-1228057453
                                                                                                                                                            • Opcode ID: 375a5b0dd98c14a02c2a8cd9314b888d22a9ec690b67e904f2094a3eebec690b
                                                                                                                                                            • Instruction ID: 0adeb82f849d68d9f4b8d2ddd71bb14b3b7137135fd824724bec2a939bf4647a
                                                                                                                                                            • Opcode Fuzzy Hash: 375a5b0dd98c14a02c2a8cd9314b888d22a9ec690b67e904f2094a3eebec690b
                                                                                                                                                            • Instruction Fuzzy Hash: AF019672A01318B7DB129B95DC4AFEEB678AB04316F050066FA01BA191E374DD00CBA4
                                                                                                                                                            Function 0044C8C3 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F1839: LoadLibraryExW.KERNEL32(?,00000000,00000800,00000000,?,003F1645,?,?,?,?,?,?,003F115A,cabinet.dll,00000009,?), ref: 003F1855
                                                                                                                                                              • Part of subcall function 003F1839: GetLastError.KERNEL32(?,003F1645,?,?,?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F1866
                                                                                                                                                            • GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 0044C8FF
                                                                                                                                                            • GetProcAddress.KERNEL32(RegGetValueW), ref: 0044C915
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 0044C8E5
                                                                                                                                                            • Failed to load AdvApi32.dll, xrefs: 0044C8D9
                                                                                                                                                            • AdvApi32.dll, xrefs: 0044C8C9
                                                                                                                                                            • RegGetValueW, xrefs: 0044C905
                                                                                                                                                            • RegDeleteKeyExW, xrefs: 0044C8F4
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressProc$ErrorLastLibraryLoad
                                                                                                                                                            • String ID: AdvApi32.dll$Failed to load AdvApi32.dll$RegDeleteKeyExW$RegGetValueW$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 856020675-1672349681
                                                                                                                                                            • Opcode ID: 2ae5186b7a29b94aecbd0bfc91ac8d3532b237fff73d00342404b3c8ac560265
                                                                                                                                                            • Instruction ID: 71a601585ac5cf2f4cd9b77cd193dd6c551b51cbb5320bf010778954ef0cfe65
                                                                                                                                                            • Opcode Fuzzy Hash: 2ae5186b7a29b94aecbd0bfc91ac8d3532b237fff73d00342404b3c8ac560265
                                                                                                                                                            • Instruction Fuzzy Hash: 0CF0FBB0E83318AAE7556F61BD0AB1D3B64A714B26F150A7AE508762E0F7B84841CB4C
                                                                                                                                                            Function 0040C6E8 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 198COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: Aborted cache verify payload signature begin.$Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$d:\a\wix4\wix4\src\burn\user\cache.cpp
                                                                                                                                                            • API String ID: 0-338742995
                                                                                                                                                            • Opcode ID: ad29ed9278befb8b0a6faa9e7b12479b76f3e5b704ab34f9d8c5d32dd478295c
                                                                                                                                                            • Instruction ID: 77d284666144748f0f878eb34aa4b6927506f4786f4cc988c3f9a4ceda5d16a7
                                                                                                                                                            • Opcode Fuzzy Hash: ad29ed9278befb8b0a6faa9e7b12479b76f3e5b704ab34f9d8c5d32dd478295c
                                                                                                                                                            • Instruction Fuzzy Hash: D051A972D40219BBDB11DF95CC85FEF7AB8AF08711F11412AF900BB281E7789D019BA9
                                                                                                                                                            Function 00407CE9 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 126stringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F6305: CreateDirectoryW.KERNELBASE(00000001,?,00000001,00000000,?,0040ED80,00000000,00000000,?,00000021,00000000,00000000,A0000013,00000000,00000000,00000000), ref: 003F6313
                                                                                                                                                              • Part of subcall function 003F6305: GetLastError.KERNEL32(?,0040ED80,00000000,00000000,?,00000021,00000000,00000000,A0000013,00000000,00000000,00000000,00000000,?,00000021,00000000), ref: 003F6321
                                                                                                                                                            • lstrlenA.KERNEL32(?,00000000,?,00000000,?,?,?,?,swidtag,?,?,?,?,00000000), ref: 00407D78
                                                                                                                                                              • Part of subcall function 00453EAD: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,?,00000000,?,00000000,?,00407D8F,?,00000080,?,00000000), ref: 00453EC5
                                                                                                                                                              • Part of subcall function 00453EAD: GetLastError.KERNEL32(?,00000000,?,00407D8F,?,00000080,?,00000000,?,?,?,swidtag,?,?,?,?), ref: 00453ED2
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to allocate regid folder path., xrefs: 00407E02
                                                                                                                                                            • Failed to create regid folder: %ls, xrefs: 00407DCD
                                                                                                                                                            • Failed to write tag xml to file: %ls, xrefs: 00407DB6
                                                                                                                                                            • swidtag, xrefs: 00407D34
                                                                                                                                                            • Failed to format tag folder path., xrefs: 00407E16
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\registration.cpp, xrefs: 00407DDF, 00407E28
                                                                                                                                                            • Failed to allocate regid file path., xrefs: 00407DEE
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateErrorLast$DirectoryFilelstrlen
                                                                                                                                                            • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$d:\a\wix4\wix4\src\burn\user\registration.cpp$swidtag
                                                                                                                                                            • API String ID: 583680227-1772413233
                                                                                                                                                            • Opcode ID: 4f2c5f56d674dd85b7f419567af7ad0e88e860576e8b17c809dbe796441391ae
                                                                                                                                                            • Instruction ID: c607a7301573471fbe873ef24a3667bf2f1aa0227ac4e7a50804b2e920c82b94
                                                                                                                                                            • Opcode Fuzzy Hash: 4f2c5f56d674dd85b7f419567af7ad0e88e860576e8b17c809dbe796441391ae
                                                                                                                                                            • Instruction Fuzzy Hash: 47410C31E45618BBDB129B54CC46FAFBB75EF00B11F2081A2F6007A2D0E7B56D109BDA
                                                                                                                                                            Function 00434C2A Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 123COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,00000000,?), ref: 00434C48
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 00434D84
                                                                                                                                                            Strings
                                                                                                                                                            • BA requested unknown payload with id: %ls, xrefs: 00434CC0
                                                                                                                                                            • user is active, cannot change user state., xrefs: 00434C60
                                                                                                                                                            • BA requested unknown container with id: %ls, xrefs: 00434D3B
                                                                                                                                                            • Failed to set source path for container., xrefs: 00434D65
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\externaluser.cpp, xrefs: 00434C72, 00434CD2
                                                                                                                                                            • Failed to set source path for payload., xrefs: 00434CFE
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                            • String ID: BA requested unknown container with id: %ls$BA requested unknown payload with id: %ls$user is active, cannot change user state.$Failed to set source path for container.$Failed to set source path for payload.$d:\a\wix4\wix4\src\burn\user\externaluser.cpp
                                                                                                                                                            • API String ID: 3168844106-1414015681
                                                                                                                                                            • Opcode ID: 770139cc98afed916f4367866c8501f2ad043dc94001f7e20eef02871544db1e
                                                                                                                                                            • Instruction ID: c4e569e551053901007d98d453fe581339c78c2d2ea08291f180a5ee39d4e7cd
                                                                                                                                                            • Opcode Fuzzy Hash: 770139cc98afed916f4367866c8501f2ad043dc94001f7e20eef02871544db1e
                                                                                                                                                            • Instruction Fuzzy Hash: 1131A971A40715B7DB219A95CC46FDF7B6C9B88B50F254113FE04FB2C0E6A8E94087A9
                                                                                                                                                            Function 003F8B6F Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(7FFFFFFE,00000000,00000000,00000000,?,?,?,003F85FC,00000000,?,00000000,?,00000000,?,0040A80F), ref: 003F8B82
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(7FFFFFFE,7FFFFFFE,?,7FFFFFFE,?,003F85FC,00000000,?,00000000,?,00000000,?,0040A80F,?,00000001,00000000), ref: 003F8C9E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                            • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 3168844106-1256323647
                                                                                                                                                            • Opcode ID: 8874f1d754ba0fd8f39ba091180bff1d3dd978e7bc110ce399e23c0643418495
                                                                                                                                                            • Instruction ID: 670048bf2652ad3fa7ee8d95f521d32782d561d337326d48f7393bf5334e2f19
                                                                                                                                                            • Opcode Fuzzy Hash: 8874f1d754ba0fd8f39ba091180bff1d3dd978e7bc110ce399e23c0643418495
                                                                                                                                                            • Instruction Fuzzy Hash: A0310872A4171DBBDF275F80CC46EAEBE68AF04750F100525FB04AA151EBB0EE5087A5
                                                                                                                                                            Function 0041D010 Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 0041D01D
                                                                                                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 0041D095
                                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0041D0AC
                                                                                                                                                              • Part of subcall function 0041CE40: SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000014,?,00000060,?,?,00000000,?,0041CD2A,?,00000060), ref: 0041CE7E
                                                                                                                                                            • DefWindowProcW.USER32(?,00000082,?,?), ref: 0041D0C3
                                                                                                                                                            • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0041D0D1
                                                                                                                                                            • PostQuitMessage.USER32(00000000), ref: 0041D0D8
                                                                                                                                                            • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0041D0EC
                                                                                                                                                            • DefWindowProcW.USER32(?,?,?,?,?,00000000), ref: 0041D11C
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Window$LongProc$MessagePost$Quit
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3225497149-0
                                                                                                                                                            • Opcode ID: 13447e7b7fb0524b14050a1c997805b8d925fd9a2ba07aa4dbad7f24817db676
                                                                                                                                                            • Instruction ID: 0c45e8293c262764e3f4135d376e05ef76ee4cd0c0d10f010eaec223f5a422f6
                                                                                                                                                            • Opcode Fuzzy Hash: 13447e7b7fb0524b14050a1c997805b8d925fd9a2ba07aa4dbad7f24817db676
                                                                                                                                                            • Instruction Fuzzy Hash: 4C31B471500215BFCB259F7ACD48EAB7FB9EB45315F000A2AF903922A2C738D951DB69
                                                                                                                                                            Function 0043F9EB Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _strrchr
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3213747228-0
                                                                                                                                                            • Opcode ID: 7eaf186ae0cbf7de8f6fa16e82fe6069b98ea90ea005d767dd8ae63d22e784bf
                                                                                                                                                            • Instruction ID: 81c747dc557d001a7d2339cc538f24d3c58466bfdd1f1d79cc3375e1642851ea
                                                                                                                                                            • Opcode Fuzzy Hash: 7eaf186ae0cbf7de8f6fa16e82fe6069b98ea90ea005d767dd8ae63d22e784bf
                                                                                                                                                            • Instruction Fuzzy Hash: 6CB14772D003559FDB118F24CC91BAFBBA5EF1D314F246177E904AB382D278A909C7A8
                                                                                                                                                            Function 004581C4 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 187COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00457F53,00000000,00000000,00458702,00000000,00000000,00000000,00000000,00000001,?,00000000,?,00000000), ref: 004581E8
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to get redirect url: %ls, xrefs: 004583AB
                                                                                                                                                            • Failed to get HTTP status code for failed request to URL: %ls, xrefs: 00458221
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp, xrefs: 004583CD
                                                                                                                                                            • Unknown HTTP status code %d, returned from URL: %ls, xrefs: 00458381
                                                                                                                                                            • Failed to send request to URL: %ls, trying to process HTTP status code anyway., xrefs: 004581FF
                                                                                                                                                            • Failed to get HTTP status code for request to URL: %ls, xrefs: 004583BE
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                            • String ID: Failed to get HTTP status code for failed request to URL: %ls$Failed to get HTTP status code for request to URL: %ls$Failed to get redirect url: %ls$Failed to send request to URL: %ls, trying to process HTTP status code anyway.$Unknown HTTP status code %d, returned from URL: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                            • API String ID: 1452528299-2050984236
                                                                                                                                                            • Opcode ID: c8bce2652433962ae21a13487a5a56e000c5032c971f08b9168794195628e916
                                                                                                                                                            • Instruction ID: c43f4edb79640a3f0cc285d62589478d2e36628d4322002665d7805f74761e4e
                                                                                                                                                            • Opcode Fuzzy Hash: c8bce2652433962ae21a13487a5a56e000c5032c971f08b9168794195628e916
                                                                                                                                                            • Instruction Fuzzy Hash: A4512471640515A7DB254E69CC0AB7F3A14EB41B12F24026FFD00FB792DE6ECD09869D
                                                                                                                                                            Function 0045B8B0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 154timeCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 0045B9D2
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0045B9DC
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Time$ErrorFileLastSystem
                                                                                                                                                            • String ID: Failed to convert system time to file time.$Failed to copy time.$clbcatq.dll$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\timeutil.cpp
                                                                                                                                                            • API String ID: 2781989572-1833903446
                                                                                                                                                            • Opcode ID: addccec74ffd8075400b9c18d9a6362281546f225286165649c4c7f63dabf776
                                                                                                                                                            • Instruction ID: 36d440dd9e54dc31fc5adf0ab04f010d2f624a24b4fd224765134f55db0cd340
                                                                                                                                                            • Opcode Fuzzy Hash: addccec74ffd8075400b9c18d9a6362281546f225286165649c4c7f63dabf776
                                                                                                                                                            • Instruction Fuzzy Hash: 9C41E6A2B4030979D7209A758C46F7FA669EF51706F10851BBE01BB2D2D628CE0987E9
                                                                                                                                                            Function 00458047 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 139COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(?,?,00457F34,00000000,00000000,00000001), ref: 004580F0
                                                                                                                                                            • GetLastError.KERNEL32(?,?,00457F34,00000000,00000000,00000001), ref: 00458152
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                            • String ID: Failed to add header to HTTP request.$Failed to allocate string for resource URI.$Failed to append query strong to resource from URI.$Failed to open internet request.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                            • API String ID: 1452528299-283382383
                                                                                                                                                            • Opcode ID: 3562a72bd68bf06cb01a0e315f91a8377688c86cb152e29b067c97408dc735df
                                                                                                                                                            • Instruction ID: 7cdb29e359d770f5ccf4fdb9b178d9189f3c1add816806be9d7bc6ce4c551492
                                                                                                                                                            • Opcode Fuzzy Hash: 3562a72bd68bf06cb01a0e315f91a8377688c86cb152e29b067c97408dc735df
                                                                                                                                                            • Instruction Fuzzy Hash: 26414932A40729B7EB215A558C49F7F755C9B00B96F12452AFE00BB2C2EE78CC0597A8
                                                                                                                                                            Function 0040D33E Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 137sleepCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • Sleep.KERNEL32(000007D0,004131C1,004131C1), ref: 0040D3BF
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Sleep
                                                                                                                                                            • String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$d:\a\wix4\wix4\src\burn\user\cache.cpp$per-machine$per-user
                                                                                                                                                            • API String ID: 3472027048-1762823252
                                                                                                                                                            • Opcode ID: ec1a7ddea020e2c67ed618aefad271b759aa005965a035b3fff4be48f19b25d6
                                                                                                                                                            • Instruction ID: 325f472e44854cf1767dfadfd35371245fd3e23ee562ec1989811e7010f71801
                                                                                                                                                            • Opcode Fuzzy Hash: ec1a7ddea020e2c67ed618aefad271b759aa005965a035b3fff4be48f19b25d6
                                                                                                                                                            • Instruction Fuzzy Hash: C8412771E40718BBEB22EAD58D07F7F665C9B00710F144137BE04F92D1E6BC9D548AAA
                                                                                                                                                            Function 003F9C20 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 134COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variable.cpp, xrefs: 003F9DB9
                                                                                                                                                            • Failed to set variant value., xrefs: 003F9DA7
                                                                                                                                                            • Failed to create VersionNT from QWORD., xrefs: 003F9D6A
                                                                                                                                                            • Failed to create VersionNT64 from QWORD., xrefs: 003F9D2E
                                                                                                                                                            • Failed to get OS info., xrefs: 003F9C75
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                            • String ID: Failed to create VersionNT from QWORD.$Failed to create VersionNT64 from QWORD.$Failed to get OS info.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 3664257935-2516107492
                                                                                                                                                            • Opcode ID: 3075c1d6a065941d5b5876652e66d2dcd885f694f0f673cff9ccd5cdf9a095b5
                                                                                                                                                            • Instruction ID: 20332a7481288492a07e0d8ead8ddccae01f584d7f91542ca3d6b1a7ed8304cf
                                                                                                                                                            • Opcode Fuzzy Hash: 3075c1d6a065941d5b5876652e66d2dcd885f694f0f673cff9ccd5cdf9a095b5
                                                                                                                                                            • Instruction Fuzzy Hash: D541E871D4023CB6DB339B65CD46FFAB6B8AB48704F100197F649E6281E678DE84CE54
                                                                                                                                                            Function 0044D37A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _memcpy_s
                                                                                                                                                            • String ID: Error reading wix version registry value due to unexpected data type: %u$Failed to convert registry string to wix version.$Failed to copy QWORD wix version value.$Failed to read wix version registry value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 2001391462-1929277467
                                                                                                                                                            • Opcode ID: 007d5c375b8bba4e094b55de0aabfb6d819c0cfb2b17dccd160907b24df64ff8
                                                                                                                                                            • Instruction ID: 068d17eaaba145e66a72df9f317f326fb3fd881104d845cb9e6f51bce42ae36c
                                                                                                                                                            • Opcode Fuzzy Hash: 007d5c375b8bba4e094b55de0aabfb6d819c0cfb2b17dccd160907b24df64ff8
                                                                                                                                                            • Instruction Fuzzy Hash: 65411971E40318F6EF21AE818D4EFAFBA78DF41714F104157FA057A281E3B85A00DBA5
                                                                                                                                                            Function 00439350 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00439387
                                                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 0043938F
                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00439418
                                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00439443
                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00439498
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                            • String ID: csm
                                                                                                                                                            • API String ID: 1170836740-1018135373
                                                                                                                                                            • Opcode ID: 0c05f3ad4a30c740ef36568fc3fdea67d5c3753842f3929d6dfac27352841047
                                                                                                                                                            • Instruction ID: 1ccf0ed029c74ef7820cfe0f78b719906a64a311a6d74df171cb6890a3de0bde
                                                                                                                                                            • Opcode Fuzzy Hash: 0c05f3ad4a30c740ef36568fc3fdea67d5c3753842f3929d6dfac27352841047
                                                                                                                                                            • Instruction Fuzzy Hash: 6E41E570A00208ABCF14EF69C884A9E7BA4FF4D318F14905AEC145B392D7B9DD06CB99
                                                                                                                                                            Function 0044D559 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegQueryInfoKeyW.ADVAPI32(?,?,00408EB7,?,?,?,?), ref: 0044D584
                                                                                                                                                            • RegEnumValueW.ADVAPI32(?,?,00408EB7,?,?,?,?), ref: 0044D609
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: EnumInfoQueryValue
                                                                                                                                                            • String ID: Failed to allocate array for registry value name$Failed to enumerate registry value$Failed to get max size of value name under registry key.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 918324718-3509199686
                                                                                                                                                            • Opcode ID: b382d2ef8df605aaacf2d982901e0f5212f4564794924b1c9c63634ba9cc1806
                                                                                                                                                            • Instruction ID: e96338a19d27328bb07c46a25979a0096af6a2ddc4d44b01541913f885c51a05
                                                                                                                                                            • Opcode Fuzzy Hash: b382d2ef8df605aaacf2d982901e0f5212f4564794924b1c9c63634ba9cc1806
                                                                                                                                                            • Instruction Fuzzy Hash: F7213776A00219BBFB016E459D44EBF766DDB85764F22042BBE04A7340EA788D018778
                                                                                                                                                            Function 0040770A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 104registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,003F6CF2,000000FF,04685000,000000FF,00000000,PackageVersion,003F6CF2,8D18C483,004131C1,00000001,00000000,003F6CF2,004131C1,003F6CF2), ref: 00407794
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,PackageVersion,003F6CF2,8D18C483,004131C1,00000001,00000000,003F6CF2,004131C1,003F6CF2,00000000,004131C1,004131C1,004131C1,003F6CF2), ref: 004077B1
                                                                                                                                                            Strings
                                                                                                                                                            • PackageVersion, xrefs: 00407775
                                                                                                                                                            • Failed to format key for update registration., xrefs: 00407738
                                                                                                                                                            • Failed to remove update registration key: %ls, xrefs: 004077E6
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\registration.cpp, xrefs: 0040774A, 004077F8
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseCompareString
                                                                                                                                                            • String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion$d:\a\wix4\wix4\src\burn\user\registration.cpp
                                                                                                                                                            • API String ID: 446873843-2063007608
                                                                                                                                                            • Opcode ID: 28027cf9f3c0226b388a0a95b4974b43dca1a99f6c87847e9e2ad76b6e3554a6
                                                                                                                                                            • Instruction ID: 8d6c07339f0941717c6c9f094ef9b6a9d39eeb9ef35e04ad5d4bd88faf5b8c9d
                                                                                                                                                            • Opcode Fuzzy Hash: 28027cf9f3c0226b388a0a95b4974b43dca1a99f6c87847e9e2ad76b6e3554a6
                                                                                                                                                            • Instruction Fuzzy Hash: 6631FC71D40225B6DB12ABA58C4AFAFBE78DF00751F104277F910F61D1E6786A00C6E6
                                                                                                                                                            Function 003F73C3 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 101COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?), ref: 003F74C2
                                                                                                                                                              • Part of subcall function 003F4456: SetLastError.KERNEL32(00000000,?,?,?), ref: 003F446B
                                                                                                                                                              • Part of subcall function 003F4456: GetModuleFileNameW.KERNEL32(?,?,00000001,?,?,?), ref: 003F447A
                                                                                                                                                              • Part of subcall function 003F4456: GetLastError.KERNEL32(?,?,?), ref: 003F4484
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to re-launch bundle process after RunOnce: %ls, xrefs: 003F749B
                                                                                                                                                            • .#v@1#v, xrefs: 003F74C2
                                                                                                                                                            • Unable to get resume command line from the registry, xrefs: 003F743E
                                                                                                                                                            • Failed to open run once log., xrefs: 003F7404
                                                                                                                                                            • Failed to get current process path., xrefs: 003F7462
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\user.cpp, xrefs: 003F7416, 003F74AD
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$CloseFileHandleModuleName
                                                                                                                                                            • String ID: Failed to get current process path.$Failed to open run once log.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry$d:\a\wix4\wix4\src\burn\user\user.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 628991300-3364403784
                                                                                                                                                            • Opcode ID: 50b82f15088ecb68e6bb92b316b390938bbb6b00ee4a6c86f7cce9f9e79945dd
                                                                                                                                                            • Instruction ID: 29a025c63abcf3e988feecbea05fac3daef9ac26f3d15ace4be2bcf8c4d4a025
                                                                                                                                                            • Opcode Fuzzy Hash: 50b82f15088ecb68e6bb92b316b390938bbb6b00ee4a6c86f7cce9f9e79945dd
                                                                                                                                                            • Instruction Fuzzy Hash: 6931C672E4061DB7DF239B968C46FEFBB6CAB04700F104166B704BA180F6B4AA108B95
                                                                                                                                                            Function 0044D25B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 100COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _memcpy_s
                                                                                                                                                            • String ID: Error reading version registry value due to unexpected data type: %u$Failed to convert registry string to version.$Failed to copy QWORD version value.$Failed to read version registry value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 2001391462-2150151203
                                                                                                                                                            • Opcode ID: aa815a379744a734005a17fe19332184e5c218e394d25e41635440c31792dc0f
                                                                                                                                                            • Instruction ID: 8b4e7801f70e2fdbb49a5383808a15fd4baa4dd8072845fa58b26f947ec5c9d2
                                                                                                                                                            • Opcode Fuzzy Hash: aa815a379744a734005a17fe19332184e5c218e394d25e41635440c31792dc0f
                                                                                                                                                            • Instruction Fuzzy Hash: F121D571E80318F6FB226E518D4FFAF7AA8DB55B10F104457FE047A281D6B88900D696
                                                                                                                                                            Function 00452587 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseErrorExecuteHandleLastShell
                                                                                                                                                            • String ID: ShellExecEx failed with return code: %d$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\shelutil.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 3023784893-2488749685
                                                                                                                                                            • Opcode ID: 00337111077ae5a35984a2c76af110c75ab05e6c23b2207d7c92f8d14119376a
                                                                                                                                                            • Instruction ID: a474b34d81943df438088c5ec257cf51b6ca8db23c42fd2d1842e1c730893772
                                                                                                                                                            • Opcode Fuzzy Hash: 00337111077ae5a35984a2c76af110c75ab05e6c23b2207d7c92f8d14119376a
                                                                                                                                                            • Instruction Fuzzy Hash: 87314AB5E01219ABDB10DF9ADD44A9FBBF8AF98711F10401BED05F7341E7B499018BA4
                                                                                                                                                            Function 00434048 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 88COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • IsWindow.USER32(?), ref: 0043408F
                                                                                                                                                              • Part of subcall function 003F540B: GetProcessHeap.KERNEL32(?,?,?,0041DDCD,?,00000000), ref: 003F541C
                                                                                                                                                              • Part of subcall function 003F540B: RtlAllocateHeap.NTDLL(00000000,?,0041DDCD,?,00000000), ref: 003F5423
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$AllocateProcessWindow
                                                                                                                                                            • String ID: BA passed NULL hwndParent to Apply.$BA passed invalid hwndParent to Apply.$Failed to alloc BOOTSTRAPPER_user_ACTION$Failed to enqueue apply action.$d:\a\wix4\wix4\src\burn\user\externaluser.cpp
                                                                                                                                                            • API String ID: 850432942-3904185537
                                                                                                                                                            • Opcode ID: 3950771708d5009bd98958732996009e84a94fac960b163764dbd60d53a24aa4
                                                                                                                                                            • Instruction ID: 578ea6a1c90d045a056c3dd9e60e6651d217a4f1e7563afd800de95ca790c7d1
                                                                                                                                                            • Opcode Fuzzy Hash: 3950771708d5009bd98958732996009e84a94fac960b163764dbd60d53a24aa4
                                                                                                                                                            • Instruction Fuzzy Hash: 99213A71B40318B7E71259409C4FFFF616C8B85B54F208016B7047F2C2E6E9AE1046AA
                                                                                                                                                            Function 0040B286 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _memcpy_s
                                                                                                                                                            • String ID: Failed to allocate memory for message.$Failed to calculate total pipe message size$d:\a\wix4\wix4\src\burn\user\pipe.cpp
                                                                                                                                                            • API String ID: 2001391462-2608942841
                                                                                                                                                            • Opcode ID: 4a94e247afc5d78f3ad2e4151961bd1509f601d4c067c3d6a0d15cac76fbe5b4
                                                                                                                                                            • Instruction ID: 1114a3a8ab3404e872055783f4b33c5a67f6879c054b5018196b3509f6c9ece4
                                                                                                                                                            • Opcode Fuzzy Hash: 4a94e247afc5d78f3ad2e4151961bd1509f601d4c067c3d6a0d15cac76fbe5b4
                                                                                                                                                            • Instruction Fuzzy Hash: 8321A7B250020CBBDB029A95CC85FEFB66CDF95724F104156F705AB281E7B4DD448BE5
                                                                                                                                                            Function 0040D4BF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,00000000,00000000), ref: 0040D523
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040D52D
                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,00000000,00000000), ref: 0040D599
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AttributesErrorFileInitializeLast
                                                                                                                                                            • String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$d:\a\wix4\wix4\src\burn\user\cache.cpp
                                                                                                                                                            • API String ID: 669721577-2625618253
                                                                                                                                                            • Opcode ID: 83a15893081629f994fc7d6d26419a58907c0ac8ec73121c3e7b32b27a09c958
                                                                                                                                                            • Instruction ID: 0947d9831a1132d638102afa599602cfe3fbfa018b53ab0a0e2d5e56669e955d
                                                                                                                                                            • Opcode Fuzzy Hash: 83a15893081629f994fc7d6d26419a58907c0ac8ec73121c3e7b32b27a09c958
                                                                                                                                                            • Instruction Fuzzy Hash: 48212D32E4032477E7219AD59C86F5FB66C9B45B54F114036BE04BB2C1E6B8DD048A99
                                                                                                                                                            Function 0045BB11 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86timeCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0045BB55
                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 0045BB94
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0045BB9E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastTime$FileSystem
                                                                                                                                                            • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\inetutil.cpp$failed to convert system time to file time$failed to get create time for internet file handle
                                                                                                                                                            • API String ID: 1528435940-425296829
                                                                                                                                                            • Opcode ID: 8c3da9a8481e8fc888e38ef11bf7f5d051bf951304f1a4aedace17174fe85da7
                                                                                                                                                            • Instruction ID: e3d9ff79a7a85398aee7580ce954ef1fcd08d409f1e21b3858d26612a260156e
                                                                                                                                                            • Opcode Fuzzy Hash: 8c3da9a8481e8fc888e38ef11bf7f5d051bf951304f1a4aedace17174fe85da7
                                                                                                                                                            • Instruction Fuzzy Hash: F9210D72E01229B7E3219A958C45FBFB668DB04751F01052AFF04FB281E778DD0487E9
                                                                                                                                                            Function 0041E1D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastWrite_memcpy_s
                                                                                                                                                            • String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$d:\a\wix4\wix4\src\burn\user\cabextract.cpp
                                                                                                                                                            • API String ID: 1970631241-1065166858
                                                                                                                                                            • Opcode ID: 5970c205ba916d5ac6cf7828bf986bdb2e349adac8dc3c92c0fe77f504b14763
                                                                                                                                                            • Instruction ID: 312a8dd7a5f321957abc0db7a2e92e74f4a1f0b7844653f79ca084444b8c8fe0
                                                                                                                                                            • Opcode Fuzzy Hash: 5970c205ba916d5ac6cf7828bf986bdb2e349adac8dc3c92c0fe77f504b14763
                                                                                                                                                            • Instruction Fuzzy Hash: 6021277A640205FBDB01DF5ADC45E9A7BACEF84710F110196FE089B296D2B5D940CB18
                                                                                                                                                            Function 0044B523 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,?,?,?,00000000,?,?,?,0044B4C2,?), ref: 0044B5EF
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\osutil.cpp, xrefs: 0044B582
                                                                                                                                                            • Failed to read registry value to detect UAC., xrefs: 0044B5C7
                                                                                                                                                            • EnableLUA, xrefs: 0044B599
                                                                                                                                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0044B539
                                                                                                                                                            • Failed to open system policy key to detect UAC., xrefs: 0044B573
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: EnableLUA$Failed to open system policy key to detect UAC.$Failed to read registry value to detect UAC.$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\osutil.cpp
                                                                                                                                                            • API String ID: 3535843008-1917839530
                                                                                                                                                            • Opcode ID: 6a65c1c76a2cb5e9e5f05fbb5440d5c01a9f516e66f78b9e48df57ef710e3498
                                                                                                                                                            • Instruction ID: 3eed12158c060b7bacc71e6d9bbfd65313655dda9467e8d317b6aafa208bd347
                                                                                                                                                            • Opcode Fuzzy Hash: 6a65c1c76a2cb5e9e5f05fbb5440d5c01a9f516e66f78b9e48df57ef710e3498
                                                                                                                                                            • Instruction Fuzzy Hash: 6921CC31A40726F6F7216A958C87FAFE568DF00754F154537AA05B7290D3BCCD5092C8
                                                                                                                                                            Function 003F2B25 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 79windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FormatMessageW.KERNEL32(-000011F7,00000008,?,00000000,00000000,00000000,00000000,80070656,?,?,?,0041D303,00000000,00000008,00000000,80070656), ref: 003F2B56
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,0041D303,00000000,00000008,00000000,80070656,?,?,0040A7BB,00000001,00000000,80070656,00000000,?), ref: 003F2B63
                                                                                                                                                            • LocalFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0041D303,00000000,00000008,00000000,80070656,?,?,0040A7BB,00000001), ref: 003F2BE7
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                                                            • String ID: Failed to allocate string for message.$Failed to format message for error: 0x%x$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\strutil.cpp
                                                                                                                                                            • API String ID: 1365068426-3351270200
                                                                                                                                                            • Opcode ID: e873976b98c76454616d463fad4e97fb425dde9e5183c5ab6711f7cc2c2baa34
                                                                                                                                                            • Instruction ID: 32e84d1595250f175ab720b2ece3a4e77f741eab3da5a40a50d31f77b2db31b0
                                                                                                                                                            • Opcode Fuzzy Hash: e873976b98c76454616d463fad4e97fb425dde9e5183c5ab6711f7cc2c2baa34
                                                                                                                                                            • Instruction Fuzzy Hash: 61219DB294122DFBEB229E959C4AFAF7A6CDB04751F014061BE04FA281E674CE00C6E0
                                                                                                                                                            Function 00450BEE Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 78memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SysAllocString.OLEAUT32(003F7D9B), ref: 00450C6C
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 00450CB6
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: String$AllocFree
                                                                                                                                                            • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed to allocate bstr for XPath expression in XmlSelectNodes$pixnParent parameter was null in XmlSelectNodes$ppixnChild parameter was null in XmlSelectNodes
                                                                                                                                                            • API String ID: 344208780-3683195698
                                                                                                                                                            • Opcode ID: 6cd7be9d4fc1ede3839c266511c5c3ec868a66308f8f15d4cb0306cd0ee04d9d
                                                                                                                                                            • Instruction ID: e37c564df1ca2d12fd708ca5c36322f5bfd248aa4b5026d31ce6f11bdfa10d70
                                                                                                                                                            • Opcode Fuzzy Hash: 6cd7be9d4fc1ede3839c266511c5c3ec868a66308f8f15d4cb0306cd0ee04d9d
                                                                                                                                                            • Instruction Fuzzy Hash: FF113A61780315B7E2262E045C4AF7F215CDB96F13F11893BFE00BB382DA988D0147A9
                                                                                                                                                            Function 00450CC5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 78memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SysAllocString.OLEAUT32(003F7D9B), ref: 00450D43
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 00450D8D
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: String$AllocFree
                                                                                                                                                            • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed to allocate bstr for XPath expression in XmlSelectSingleNode$pixnParent parameter was null in XmlSelectSingleNode$ppixnChild parameter was null in XmlSelectSingleNode
                                                                                                                                                            • API String ID: 344208780-1462723567
                                                                                                                                                            • Opcode ID: 1647fe70c751aa2c09db625933db95f660fd1da2eb92b3ef70e427ebe459158a
                                                                                                                                                            • Instruction ID: 31fb281087258f0b21fa81cd76fcba90539601196ec3b8dbc72d0a307f5c8871
                                                                                                                                                            • Opcode Fuzzy Hash: 1647fe70c751aa2c09db625933db95f660fd1da2eb92b3ef70e427ebe459158a
                                                                                                                                                            • Instruction Fuzzy Hash: D2112461780355B7E6212A455C4DF7F216CDB95F52F10403BFE00BB282E6AC9E0987A9
                                                                                                                                                            Function 00442BC3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,00442CD2,?,?,00000000,?,?,?,00442E2C,00000022,FlsSetValue,0047DA4C,0047DA54,?), ref: 00442C84
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                            • API String ID: 3664257935-537541572
                                                                                                                                                            • Opcode ID: 046932b9a80a655f1c32edab566d4d100188a2228d1567cdbeb3effa9f5ccf20
                                                                                                                                                            • Instruction ID: 9bfa16abe6c84693f55710e4322757b19ff27be151f9de198277d3257c5ee313
                                                                                                                                                            • Opcode Fuzzy Hash: 046932b9a80a655f1c32edab566d4d100188a2228d1567cdbeb3effa9f5ccf20
                                                                                                                                                            • Instruction Fuzzy Hash: A5212432A01211ABEB219F21DEC5A5F3768EF41761F640126FC09A73D5E6B8FE01C6D9
                                                                                                                                                            Function 003FD783 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 003FD825
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to copy condition string from BSTR, xrefs: 003FD7FE
                                                                                                                                                            • Failed to select condition node., xrefs: 003FD7B2
                                                                                                                                                            • Failed to get Condition inner text., xrefs: 003FD7D8
                                                                                                                                                            • Condition, xrefs: 003FD790
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\condition.cpp, xrefs: 003FD810
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeString
                                                                                                                                                            • String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.$d:\a\wix4\wix4\src\burn\user\condition.cpp
                                                                                                                                                            • API String ID: 3341692771-1135705897
                                                                                                                                                            • Opcode ID: 08e1ebb3055208998d348e88c6ad912d1f7691c922aa38cbbc81f4de8602b123
                                                                                                                                                            • Instruction ID: d6c567963ccb8825f9cf96231d21968a425e328c86d1f8c3f0d3f387a0bb8d25
                                                                                                                                                            • Opcode Fuzzy Hash: 08e1ebb3055208998d348e88c6ad912d1f7691c922aa38cbbc81f4de8602b123
                                                                                                                                                            • Instruction Fuzzy Hash: 11112C35740318BBDB13AB41CC0EFBF7A7ADB84F51F214016FA05BB291EAB09A449654
                                                                                                                                                            Function 00458BE1 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 69COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 00458C80
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeString
                                                                                                                                                            • String ID: Already process this datetime value.$Failed to convert value to time.$Failed to get value.$clbcatq.dll$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp
                                                                                                                                                            • API String ID: 3341692771-436059191
                                                                                                                                                            • Opcode ID: 2aebf1d60868ba18a302f8128e5b613afae282a4e4c773f2be889b519cd5d43a
                                                                                                                                                            • Instruction ID: 06c7ec5de47131104f5112f1d4194721deabed03361fa0651c4d45edf6aa79ff
                                                                                                                                                            • Opcode Fuzzy Hash: 2aebf1d60868ba18a302f8128e5b613afae282a4e4c773f2be889b519cd5d43a
                                                                                                                                                            • Instruction Fuzzy Hash: E61129B0A42314B6D7222A459C45F6FB658DB10766F50412FFB00BA292DE789D00C6A8
                                                                                                                                                            Function 00451BF5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • PathAllocCanonicalize.KERNELBASE(?,?,00451D45), ref: 00451C32
                                                                                                                                                            • LocalFree.KERNEL32(00000000,00000000,?,?,00451D45,00000000,00000001,00000003,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00451C9F
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to copy the canonicalized path., xrefs: 00451C6B
                                                                                                                                                            • Failed to initialize path2utl., xrefs: 00451C79
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp, xrefs: 00451C49, 00451C85
                                                                                                                                                            • Failed to canonicalize: %ls, xrefs: 00451C3D
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocCanonicalizeFreeLocalPath
                                                                                                                                                            • String ID: Failed to canonicalize: %ls$Failed to copy the canonicalized path.$Failed to initialize path2utl.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp
                                                                                                                                                            • API String ID: 2828741713-2733107982
                                                                                                                                                            • Opcode ID: 8998f8d00f5d05d36884f8cd6010e2039c7c9229e75a6326649dcfd561ab1c4f
                                                                                                                                                            • Instruction ID: 3fe8fb8ab993c076e3e952a80096791c0233381eae9814eb5031b0c28daca8c0
                                                                                                                                                            • Opcode Fuzzy Hash: 8998f8d00f5d05d36884f8cd6010e2039c7c9229e75a6326649dcfd561ab1c4f
                                                                                                                                                            • Instruction Fuzzy Hash: 4C11CB31EC0334B7DB336E558D0AF9E3A549B04F52F110153FE057A2E2E2699E04969D
                                                                                                                                                            Function 00454CDA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56comCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,200001A4,00000000,00000000,00000000,200001A4,?,0041B002,00000000), ref: 00454D02
                                                                                                                                                            • CoCreateInstance.OLE32(00000000,00000000,00000001,00489150,00000000,?,0041B002,00000000), ref: 00454D2A
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\wuautil.cpp, xrefs: 00454D42
                                                                                                                                                            • Microsoft.Update.AutoUpdate, xrefs: 00454CFD
                                                                                                                                                            • Failed to create instance of Microsoft.Update.AutoUpdate., xrefs: 00454D36
                                                                                                                                                            • Failed to get CLSID for Microsoft.Update.AutoUpdate., xrefs: 00454D0E
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateFromInstanceProg
                                                                                                                                                            • String ID: Failed to create instance of Microsoft.Update.AutoUpdate.$Failed to get CLSID for Microsoft.Update.AutoUpdate.$Microsoft.Update.AutoUpdate$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\wuautil.cpp
                                                                                                                                                            • API String ID: 2151042543-594154128
                                                                                                                                                            • Opcode ID: 94db24ae868871d4bb35ea1587a90a8bd760e8256ade82a225ad8f7b1e00e8e6
                                                                                                                                                            • Instruction ID: c6be1e559876e1f13e5f6e19ead90e9a380e8001c42b5f78742502abd769b257
                                                                                                                                                            • Opcode Fuzzy Hash: 94db24ae868871d4bb35ea1587a90a8bd760e8256ade82a225ad8f7b1e00e8e6
                                                                                                                                                            • Instruction Fuzzy Hash: B301D671740719B6E710B6A8CC46FAFB6A89B08B55F110426FA00FB2C1D5A4DD0886A5
                                                                                                                                                            Function 003F174A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55synchronizationCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,*A,00000000,?,0041EA2A,?,000000FF), ref: 003F1756
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ObjectSingleWait
                                                                                                                                                            • String ID: *A$Abandoned wait for single object.$Failed to wait for single object.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp
                                                                                                                                                            • API String ID: 24740636-1597505963
                                                                                                                                                            • Opcode ID: 38bbf4f3488291a6b2e66f146b3de2195db1845f0ec5876d6d1ebcd122a6bc05
                                                                                                                                                            • Instruction ID: 44eea8bbf8662b75d67c45e5859ef390703dee557de027b53daffdebea7c7de1
                                                                                                                                                            • Opcode Fuzzy Hash: 38bbf4f3488291a6b2e66f146b3de2195db1845f0ec5876d6d1ebcd122a6bc05
                                                                                                                                                            • Instruction Fuzzy Hash: DD01F736A4012CB3D22225576C49F7F695CDB44B72F128421FF0CEF282D2198C0542E5
                                                                                                                                                            Function 003F6C99 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 52COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00405766: GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 00405793
                                                                                                                                                              • Part of subcall function 00405766: FreeLibrary.KERNEL32(?), ref: 004057BA
                                                                                                                                                              • Part of subcall function 00405766: GetLastError.KERNEL32 ref: 004057C4
                                                                                                                                                            • DeleteCriticalSection.KERNEL32(00000000,000000B0,00000000,000000B0,00000000,00000000,000000FF,000000B0,000000B0,00000000,00000010,00000000), ref: 003F6DBC
                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003F6DCB
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressCloseCriticalDeleteErrorFreeHandleLastLibraryProcSection
                                                                                                                                                            • String ID: Failed to start bootstrapper application.$PhPg?$d:\a\wix4\wix4\src\burn\user\user.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 835895727-1260961714
                                                                                                                                                            • Opcode ID: 38acc63acf100efda497eab04c4d00b5ee1c4597abb5620db960d6ab8641754a
                                                                                                                                                            • Instruction ID: e3a18b60a3800ef05c863730979267e4987c46a17ab8c6f0beaf9cf67654a388
                                                                                                                                                            • Opcode Fuzzy Hash: 38acc63acf100efda497eab04c4d00b5ee1c4597abb5620db960d6ab8641754a
                                                                                                                                                            • Instruction Fuzzy Hash: 1D112171A0020CFADB02ABE5DC87FEEB778EB04319F14407AF605B5092D3759A54DB55
                                                                                                                                                            Function 0045C480 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0045C4FB,0045C6A4), ref: 0045C497
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0045C4AD
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0045C4C2
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                                                            • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                                                            • API String ID: 667068680-1718035505
                                                                                                                                                            • Opcode ID: 2f79a4ff8466622a71fbb474908ee797b48642bb6d0a26b29d908bae7e5c6353
                                                                                                                                                            • Instruction ID: 40c61b7a72e97e8d4f5be2e1caeb61ebc91dd9e373620a2f1427cddd8ba931a8
                                                                                                                                                            • Opcode Fuzzy Hash: 2f79a4ff8466622a71fbb474908ee797b48642bb6d0a26b29d908bae7e5c6353
                                                                                                                                                            • Instruction Fuzzy Hash: 7FF0F431A463229F6B202E64ADE4E7B23CD9A03717314047BEC01E3782E21CCC49978D
                                                                                                                                                            Function 004360EC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CloseHandle.KERNEL32(004360E3,?,00000000,?,004360E3,00000000), ref: 00436100
                                                                                                                                                            • CloseHandle.KERNEL32(0CC2C95B,?,00000000,?,004360E3,00000000), ref: 00436110
                                                                                                                                                            • CloseHandle.KERNEL32(EC8B5500,?,00000000,?,004360E3,00000000), ref: 00436121
                                                                                                                                                            • CloseHandle.KERNEL32(08758B56,?,00000000,?,004360E3,00000000), ref: 00436132
                                                                                                                                                            • UnmapViewOfFile.KERNEL32(5974F685,00000000,?,004360E3,00000000), ref: 00436144
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandle$FileUnmapView
                                                                                                                                                            • String ID: .#v@1#v
                                                                                                                                                            • API String ID: 260491571-773301876
                                                                                                                                                            • Opcode ID: 0eeedcce6da7717f47051753f62e92641008efef337b07984f1c438e5317fe1b
                                                                                                                                                            • Instruction ID: 6d126100591738f4671d5e2d5e0cc8f2552bb273214508887db87957214a9570
                                                                                                                                                            • Opcode Fuzzy Hash: 0eeedcce6da7717f47051753f62e92641008efef337b07984f1c438e5317fe1b
                                                                                                                                                            • Instruction Fuzzy Hash: E3011630402B01EFCB225F16D80482BFBF0BB98752715C93EE9A652626C335A941DF48
                                                                                                                                                            Function 003F6C79 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 37COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00405766: GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 00405793
                                                                                                                                                              • Part of subcall function 00405766: FreeLibrary.KERNEL32(?), ref: 004057BA
                                                                                                                                                              • Part of subcall function 00405766: GetLastError.KERNEL32 ref: 004057C4
                                                                                                                                                            • DeleteCriticalSection.KERNEL32(00000000,000000B0,00000000,000000B0,00000000,00000000,000000FF,000000B0,000000B0,00000000,00000010,00000000), ref: 003F6DBC
                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003F6DCB
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressCloseCriticalDeleteErrorFreeHandleLastLibraryProcSection
                                                                                                                                                            • String ID: Failed to load BA.$PhPg?$d:\a\wix4\wix4\src\burn\user\user.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 835895727-957774958
                                                                                                                                                            • Opcode ID: e783cb356bbd1f5b902879f00c1acba2f89cd54f52de149e8de5c3149de6cf22
                                                                                                                                                            • Instruction ID: 32ccbee053da51ded0a668c19dc7d162a22beffd83d53e17e444f0505dca96c9
                                                                                                                                                            • Opcode Fuzzy Hash: e783cb356bbd1f5b902879f00c1acba2f89cd54f52de149e8de5c3149de6cf22
                                                                                                                                                            • Instruction Fuzzy Hash: 74F04432A0020CEBDB029B94DC4AFEDB778EB08316F540466F202B50A1D3759A54DB55
                                                                                                                                                            Function 003F6C46 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 36COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00405766: GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 00405793
                                                                                                                                                              • Part of subcall function 00405766: FreeLibrary.KERNEL32(?), ref: 004057BA
                                                                                                                                                              • Part of subcall function 00405766: GetLastError.KERNEL32 ref: 004057C4
                                                                                                                                                            • DeleteCriticalSection.KERNEL32(00000000,000000B0,00000000,000000B0,00000000,00000000,000000FF,000000B0,000000B0,00000000,00000010,00000000), ref: 003F6DBC
                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003F6DCB
                                                                                                                                                            Strings
                                                                                                                                                            • .#v@1#v, xrefs: 003F6DCB
                                                                                                                                                            • PhPg?, xrefs: 003F6DDE
                                                                                                                                                            • Failed to create queue for bootstrapper user., xrefs: 003F6C46
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\user.cpp, xrefs: 003F6C58
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressCloseCriticalDeleteErrorFreeHandleLastLibraryProcSection
                                                                                                                                                            • String ID: Failed to create queue for bootstrapper user.$PhPg?$d:\a\wix4\wix4\src\burn\user\user.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 835895727-3862015581
                                                                                                                                                            • Opcode ID: 5640839740856374f108c8f4bdfcf446a8fe01b0dfddd5004f0f045369e8416b
                                                                                                                                                            • Instruction ID: 9acb97f1c53d6526c30316dbae177f2c3c0864a60cfab042558fb0d38bacc4ef
                                                                                                                                                            • Opcode Fuzzy Hash: 5640839740856374f108c8f4bdfcf446a8fe01b0dfddd5004f0f045369e8416b
                                                                                                                                                            • Instruction Fuzzy Hash: 42F0683260020CEBDF02EB94DC4AFEDB778EB08315F140456F201B50E1D3B59954CB55
                                                                                                                                                            Function 004398BA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(?,?,004398B1,004396CC,00437194), ref: 004398C8
                                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004398D6
                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004398EF
                                                                                                                                                            • SetLastError.KERNEL32(00000000,004398B1,004396CC,00437194), ref: 00439941
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                                            • Opcode ID: 64505d3d3d0e526a8ba9ac6a08aa89461aa01f93d2adeebb16901fb542d95696
                                                                                                                                                            • Instruction ID: 8ca6d2bd7816c1f876ecc94aa0eb4042d4da350205ab2fa410a6b2ff482f16f0
                                                                                                                                                            • Opcode Fuzzy Hash: 64505d3d3d0e526a8ba9ac6a08aa89461aa01f93d2adeebb16901fb542d95696
                                                                                                                                                            • Instruction Fuzzy Hash: 1201B93212A3119D97182AFF7CC565F2754EF0A7B8F30223FF110452E1EA995C01925C
                                                                                                                                                            Function 003FA8A3 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 53COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(003F7D5B,WixBundleOriginalSource,?,?,0040F8B4,8D4BE800,WixBundleOriginalSource,?,00000001,00000081,003F7D5B,?,00000001,003F7DDB,?,?), ref: 003FA8AF
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(003F7D5B,003F7D5B,00000000,00000000,?,?,0040F8B4,8D4BE800,WixBundleOriginalSource,?,00000001,00000081,003F7D5B,?,00000001,003F7DDB), ref: 003FA934
                                                                                                                                                            Strings
                                                                                                                                                            • WixBundleOriginalSource, xrefs: 003FA8AB
                                                                                                                                                            • Failed to get value of variable: %ls, xrefs: 003FA8E9
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variable.cpp, xrefs: 003FA924
                                                                                                                                                            • Failed to get value as string for variable: %ls, xrefs: 003FA912
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                            • String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 3168844106-3124624316
                                                                                                                                                            • Opcode ID: 39ae85e79f6058fb976fcd05662daa5934d788110745e7418cd997869f339b59
                                                                                                                                                            • Instruction ID: fdb0c945e203159b90e87e8109e8383e300b33dac05193e6696b3f521c7e1cef
                                                                                                                                                            • Opcode Fuzzy Hash: 39ae85e79f6058fb976fcd05662daa5934d788110745e7418cd997869f339b59
                                                                                                                                                            • Instruction Fuzzy Hash: 3901A57294071CBBDF225A40CC09FAE7E689F00765F114161FB09A91A1D3B5DA509695
                                                                                                                                                            Function 00410121 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 145COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(00000000,00000001,024B6805,000000FF,comres.dll,000000FF,00000000,?,00000000,00000000,comres.dll,wininet.dll,00000000,003F6DEA,00000000,FF1C4389), ref: 00410207
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareString
                                                                                                                                                            • String ID: Failed dependents check on package provider: %ls$comres.dll$d:\a\wix4\wix4\src\burn\user\dependency.cpp$wininet.dll
                                                                                                                                                            • API String ID: 1825529933-2816589420
                                                                                                                                                            • Opcode ID: 2f801d012d1852e5ec88e1de846c7bf7e6fa79c84787c31ac61ba02b2381c444
                                                                                                                                                            • Instruction ID: ea043a2b4f5a614b976e08f9eb7ff2c3f13fc3cab136d42471675abb5a607577
                                                                                                                                                            • Opcode Fuzzy Hash: 2f801d012d1852e5ec88e1de846c7bf7e6fa79c84787c31ac61ba02b2381c444
                                                                                                                                                            • Instruction Fuzzy Hash: A8516C30A01616EBCB19DF94C988BEFBBB4FF05704F10825AE9159B241C7B899D1CBD9
                                                                                                                                                            Function 00408201 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 104registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,?,Resume,00000000,?,?,00000001,?,00000000,00000000,00000024,?,?,?,00415E95,000000F8), ref: 00408317
                                                                                                                                                              • Part of subcall function 0044CCD3: RegQueryValueExW.ADVAPI32(?,?,?,0040828D,?,Resume,00000000,?,?,00000001,?,00000000,00000000,00000024), ref: 0044CD06
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to read Resume value., xrefs: 004082AE
                                                                                                                                                            • Resume, xrefs: 00408280
                                                                                                                                                            • Failed to open registration key., xrefs: 0040824A
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\registration.cpp, xrefs: 0040825C
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseQueryValue
                                                                                                                                                            • String ID: Failed to open registration key.$Failed to read Resume value.$Resume$d:\a\wix4\wix4\src\burn\user\registration.cpp
                                                                                                                                                            • API String ID: 3356406503-1502274520
                                                                                                                                                            • Opcode ID: f92a10f9943dc4c222fb724da95ae577dacc6aba55986ba16faac344d660bc42
                                                                                                                                                            • Instruction ID: fc274b5e1922049ce1ab70f02dac3c52ec434c3d9b18b329c4ce273ca84bc97b
                                                                                                                                                            • Opcode Fuzzy Hash: f92a10f9943dc4c222fb724da95ae577dacc6aba55986ba16faac344d660bc42
                                                                                                                                                            • Instruction Fuzzy Hash: 1331F431640615EBD7228E98CE85BAA7B64EF40710F1141BFFD81BB390DA7ADD009A59
                                                                                                                                                            Function 0045729B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 96registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 0044CBC2: RegOpenKeyExW.KERNELBASE(?,0044CBBE,00000000,00000000,00000003,00000000,?,?,00456603,80000002,00000000,00020019,00000000,00000000,SOFTWARE\Policies\,00000000), ref: 0044CBED
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00020019,?,?,003F6E9A,00000001,003F6DEA), ref: 00457376
                                                                                                                                                              • Part of subcall function 004571E2: RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,003F6E9A,?,00020019,?,00000000,00000000,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,?,?), ref: 0045728C
                                                                                                                                                            Strings
                                                                                                                                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 004572C5
                                                                                                                                                            • Failed to enumerate uninstall key for related bundles., xrefs: 0045738C
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp, xrefs: 00457308
                                                                                                                                                            • Failed to open uninstall registry key., xrefs: 004572F9
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close$Open
                                                                                                                                                            • String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp
                                                                                                                                                            • API String ID: 2976201327-4270664815
                                                                                                                                                            • Opcode ID: fb433abd9456287c7d3f0a993004cbb3a2e576cc35f8d476ce06a0b739eea54e
                                                                                                                                                            • Instruction ID: 46b7531e5311dcb421fcae4b58408a2004e21a3d7abdd29c79d4b38856455f3e
                                                                                                                                                            • Opcode Fuzzy Hash: fb433abd9456287c7d3f0a993004cbb3a2e576cc35f8d476ce06a0b739eea54e
                                                                                                                                                            • Instruction Fuzzy Hash: C9213972E44224FADB219A95AC46FAFBE68DB00721F150073FE00BA152D27C8E44E799
                                                                                                                                                            Function 0044A0F5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _memcpy_s
                                                                                                                                                            • String ID: Failed to ensure buffer size.$Failed to get string size.$Failed to write string to buffer: '%ls', error: %d$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\buffutil.cpp
                                                                                                                                                            • API String ID: 2001391462-4099103365
                                                                                                                                                            • Opcode ID: e74cb5753691743ecda431c334980a90d73e7ffc6f9926b31067e2879ccc643d
                                                                                                                                                            • Instruction ID: 20a4c7e99605d186fffb7fb86d2b380542c3e1b731468b5d60f0fa84634d8752
                                                                                                                                                            • Opcode Fuzzy Hash: e74cb5753691743ecda431c334980a90d73e7ffc6f9926b31067e2879ccc643d
                                                                                                                                                            • Instruction Fuzzy Hash: 42219371A40219FFFB119F44CC86FAFB76CEF05754F100516FA04AB281E2749D219BA5
                                                                                                                                                            Function 003F5B8D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: Failed to get full path for: %ls$Failed to get parent directory for path: %ls$Full path was not rooted: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp
                                                                                                                                                            • API String ID: 0-281674368
                                                                                                                                                            • Opcode ID: 4ee01547729837e5e46c4a3242c772b834335df8e0e22569368f57698a121133
                                                                                                                                                            • Instruction ID: d328e1ab546328e70cb678ead56a0de62aa1cc389f3e949de977541b2f6568ea
                                                                                                                                                            • Opcode Fuzzy Hash: 4ee01547729837e5e46c4a3242c772b834335df8e0e22569368f57698a121133
                                                                                                                                                            • Instruction Fuzzy Hash: 3221B7B170070DF6EB229A95DD46FBF7ABC9B40B00F100055BB06FA1D1E6B1DF509664
                                                                                                                                                            Function 00410A39 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(00000000,00000001,55000CC2,000000FF,FFBC8CE8,000000FF,003F6CF2,5600460C,F685F08B,00000000,00000000,003F721E,003F7222,003F7162,00000000,003F6DEA), ref: 00410AFF
                                                                                                                                                            • CompareStringW.KERNEL32(00000000,00000001,8351EC8B,000000FF,FFBC8CE8,000000FF,003F6CF2,5600460C,F685F08B,00000000,00000000,003F721E,003F7222,003F7162,00000000,003F6DEA), ref: 00410B2B
                                                                                                                                                            Strings
                                                                                                                                                            • Failed dependents check on bundle., xrefs: 00410AAE
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\dependency.cpp, xrefs: 00410A61
                                                                                                                                                            • Failed to detect provider key bundle id., xrefs: 00410A4F
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareString
                                                                                                                                                            • String ID: Failed dependents check on bundle.$Failed to detect provider key bundle id.$d:\a\wix4\wix4\src\burn\user\dependency.cpp
                                                                                                                                                            • API String ID: 1825529933-872169753
                                                                                                                                                            • Opcode ID: 8703311a79e320a0eda057d05ffe348b7fea6d15f8d234c0e24eb4bf1d46ef7e
                                                                                                                                                            • Instruction ID: 72b11eaa458267787874f8c96a10e0a37ea63b151e6b7fa2f6009f3a0df98bdd
                                                                                                                                                            • Opcode Fuzzy Hash: 8703311a79e320a0eda057d05ffe348b7fea6d15f8d234c0e24eb4bf1d46ef7e
                                                                                                                                                            • Instruction Fuzzy Hash: CD31B031644225FAEB259B94CC46FDABA64BB10724F204246F5146B2D1D3F8AAD0CBD9
                                                                                                                                                            Function 0044A1E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 92COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _memcpy_s
                                                                                                                                                            • String ID: Failed to ensure buffer size.$Failed to get string size.$Failed to write string to buffer: '%hs', error: %d$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\buffutil.cpp
                                                                                                                                                            • API String ID: 2001391462-3750679403
                                                                                                                                                            • Opcode ID: e08e4279527df8244e7caf51031e15528447911469b170a4959fd0ec67f8b110
                                                                                                                                                            • Instruction ID: 8d255f9a190c8d55013c634b00821a2542895873b8093f19f5f749fb3b8eb547
                                                                                                                                                            • Opcode Fuzzy Hash: e08e4279527df8244e7caf51031e15528447911469b170a4959fd0ec67f8b110
                                                                                                                                                            • Instruction Fuzzy Hash: 3021F671A40218FBFB129E45CC85FAF7AACEF46754F100557FA00AB380E675DD11ABA2
                                                                                                                                                            Function 0043620A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86synchronizationCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F540B: GetProcessHeap.KERNEL32(?,?,?,0041DDCD,?,00000000), ref: 003F541C
                                                                                                                                                              • Part of subcall function 003F540B: RtlAllocateHeap.NTDLL(00000000,?,0041DDCD,?,00000000), ref: 003F5423
                                                                                                                                                            • WaitForSingleObject.KERNEL32(0045E860,000000FF), ref: 004362B4
                                                                                                                                                            • ReleaseMutex.KERNEL32(0045E860), ref: 004362E2
                                                                                                                                                            • SetEvent.KERNEL32(00000000), ref: 004362EB
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
                                                                                                                                                            • String ID: Failed to allocate buffer.$d:\a\wix4\wix4\src\burn\user\netfxchainer.cpp
                                                                                                                                                            • API String ID: 944053411-1881421891
                                                                                                                                                            • Opcode ID: ecac9bfc2868fc2f99df61286815a03eefcb0ab63e1656b6050c0b4403a10b7f
                                                                                                                                                            • Instruction ID: 94ac64ab337ba3d5463b6b872f36826578091a46f141cda2a21af5f207ab3751
                                                                                                                                                            • Opcode Fuzzy Hash: ecac9bfc2868fc2f99df61286815a03eefcb0ab63e1656b6050c0b4403a10b7f
                                                                                                                                                            • Instruction Fuzzy Hash: 3631D170A0060ABFE700AF68CC44AAEB7F9FF48310F118569F615AB352C375AD518BA5
                                                                                                                                                            Function 003F8306 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,?,003F9840,003F9840,?,003F8154,?,?,00000000), ref: 003F8342
                                                                                                                                                            • GetLastError.KERNEL32(?,003F8154,?,?,00000000,?,00000000,003F9840,?,003FB468,?,?,?,?,?), ref: 003F8371
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareErrorLastString
                                                                                                                                                            • String ID: Failed to compare strings.$d:\a\wix4\wix4\src\burn\user\variable.cpp$version.dll
                                                                                                                                                            • API String ID: 1733990998-1162684775
                                                                                                                                                            • Opcode ID: 0439bdb41dec45082dea125c3543c85a6b2ea806d12c1a687d4e39298859f56b
                                                                                                                                                            • Instruction ID: 97f0141ce9f881e9cfbd727108095bc8463b9c300beff2255e0c1cacc283957d
                                                                                                                                                            • Opcode Fuzzy Hash: 0439bdb41dec45082dea125c3543c85a6b2ea806d12c1a687d4e39298859f56b
                                                                                                                                                            • Instruction Fuzzy Hash: 8021CB7B600129BBD7168F9CCD45A7DB7A8EB46B60F250216FA15EB3E0DA70DD0186A0
                                                                                                                                                            Function 003F165F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • WaitForMultipleObjects.KERNEL32(?,?,000000FF,00000000,00000000,?,?,0041EC52,00000002,000000FF,00000000,000000FF,?,?,00000000), ref: 003F1673
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: MultipleObjectsWait
                                                                                                                                                            • String ID: Abandoned wait for multiple objects, index: %u.$Failed to wait for multiple objects.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp
                                                                                                                                                            • API String ID: 862713236-4067188417
                                                                                                                                                            • Opcode ID: 5ebdcca87697e664b682369b99c2e681409149fef834bb218fbc607d47ee3f18
                                                                                                                                                            • Instruction ID: b5eb19d93690883a8cf09c274e14c3b2fe93da586dc2352900e64bb58e53dcb9
                                                                                                                                                            • Opcode Fuzzy Hash: 5ebdcca87697e664b682369b99c2e681409149fef834bb218fbc607d47ee3f18
                                                                                                                                                            • Instruction Fuzzy Hash: 70218E72A4122DF3D72669566C49FBF691CDF00B22F160125FF05FF282E264CC0082E4
                                                                                                                                                            Function 003F9880 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 003F9893
                                                                                                                                                              • Part of subcall function 0044BFC9: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,003F6E9A,00000001,003F6DEA,?,?,?,00457562,00000000), ref: 0044BFE1
                                                                                                                                                              • Part of subcall function 0044BFC9: GetProcAddress.KERNEL32(00000000), ref: 0044BFE8
                                                                                                                                                              • Part of subcall function 0044BFC9: GetLastError.KERNEL32(?,?,?,00457562,00000000), ref: 0044C010
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variable.cpp, xrefs: 003F9938
                                                                                                                                                            • Failed to set system folder variant value., xrefs: 003F9926
                                                                                                                                                            • Failed to get 64-bit system folder., xrefs: 003F98B8
                                                                                                                                                            • Failed to get 32-bit system folder., xrefs: 003F98D7, 003F98FF
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressCurrentErrorHandleLastModuleProcProcess
                                                                                                                                                            • String ID: Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 896058289-2644686703
                                                                                                                                                            • Opcode ID: edf171d31471af51583c7e606894e5a61cdb1a6efabb3c33bb72f1271555090b
                                                                                                                                                            • Instruction ID: bf04b0b9c02ec4229ff7ca44b0bf84443bb2a55c390e98084ddbed0493b93bf9
                                                                                                                                                            • Opcode Fuzzy Hash: edf171d31471af51583c7e606894e5a61cdb1a6efabb3c33bb72f1271555090b
                                                                                                                                                            • Instruction Fuzzy Hash: B721F931E4072CB6DB3396458C0AFAF69ACAF40B50F22415BF740BA1C1E7F09B408695
                                                                                                                                                            Function 0040C54C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F540B: GetProcessHeap.KERNEL32(?,?,?,0041DDCD,?,00000000), ref: 003F541C
                                                                                                                                                              • Part of subcall function 003F540B: RtlAllocateHeap.NTDLL(00000000,?,0041DDCD,?,00000000), ref: 003F5423
                                                                                                                                                            • CreateWellKnownSid.ADVAPI32(001F01FF,00000000,00000000,?,00000044,00000001,00000000,0040D5FB,?,?,?,0040D2F1,001F01FF,0040D617,00000000,00000000), ref: 0040C5A2
                                                                                                                                                            • GetLastError.KERNEL32(?,?,0040D2F1,001F01FF,0040D617,00000000,00000000,?,0040D5FB,0000001A,001F01FF,?,00000000,00000000,?), ref: 0040C5AC
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$AllocateCreateErrorKnownLastProcessWell
                                                                                                                                                            • String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$d:\a\wix4\wix4\src\burn\user\cache.cpp
                                                                                                                                                            • API String ID: 2186923214-3368738088
                                                                                                                                                            • Opcode ID: 1c4961acc9ade798555206da9d34cb5acac148998fbd6dcbaef73a0f674da07b
                                                                                                                                                            • Instruction ID: 514fb826cc54bacb98e5e3b4f47c7fba185d9dfd3e10ec83e5dab78b7fb28064
                                                                                                                                                            • Opcode Fuzzy Hash: 1c4961acc9ade798555206da9d34cb5acac148998fbd6dcbaef73a0f674da07b
                                                                                                                                                            • Instruction Fuzzy Hash: 9D113B77A40328B2E22196565C8AF6BAA5CCB41F50F114527BE08FF2C2F5B8DC0185F9
                                                                                                                                                            Function 004524D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,003F6C5C,00000000,00000000,?,?,00000000,00000000), ref: 004524FE
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to backslash terminate shell folder path: %ls, xrefs: 00452558
                                                                                                                                                            • Failed to get folder path for CSIDL: %d, xrefs: 0045250D
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\shelutil.cpp, xrefs: 00452567
                                                                                                                                                            • Failed to copy shell folder path: %ls, xrefs: 00452539
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FolderPath
                                                                                                                                                            • String ID: Failed to backslash terminate shell folder path: %ls$Failed to copy shell folder path: %ls$Failed to get folder path for CSIDL: %d$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\shelutil.cpp
                                                                                                                                                            • API String ID: 1514166925-3657258693
                                                                                                                                                            • Opcode ID: fbd7b68a0efd6573b7f46041028b4ab2167b48c9da2657a60c0c2fa968c017e5
                                                                                                                                                            • Instruction ID: 25ecb6e45147bd3ac31820809950e31b7b9ac6a1132b17ea4e8203dd730e1222
                                                                                                                                                            • Opcode Fuzzy Hash: fbd7b68a0efd6573b7f46041028b4ab2167b48c9da2657a60c0c2fa968c017e5
                                                                                                                                                            • Instruction Fuzzy Hash: C711277174032DB6E721AB648C4AFBF7BACDB45B54F110123FD04BA182E2B4DE0447A8
                                                                                                                                                            Function 004568FF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F174A: WaitForSingleObject.KERNEL32(?,*A,00000000,?,0041EA2A,?,000000FF), ref: 003F1756
                                                                                                                                                            • GetExitCodeThread.KERNEL32(000000FF,00000000,000000FF,?,003F6CF2), ref: 00456944
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0045694E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CodeErrorExitLastObjectSingleThreadWait
                                                                                                                                                            • String ID: Failed to get thread return code.$Failed to wait for thread to complete.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\thrdutil.cpp
                                                                                                                                                            • API String ID: 113644094-2957177065
                                                                                                                                                            • Opcode ID: c6bc948820f43fd4035d928d2c1e5f285debfbd9c3b2ee1cff3bd1ca5042350c
                                                                                                                                                            • Instruction ID: b59ca9de3b349c3ea5cd08a79728247e9002e43f7c3d3046cb3e47d12e38684f
                                                                                                                                                            • Opcode Fuzzy Hash: c6bc948820f43fd4035d928d2c1e5f285debfbd9c3b2ee1cff3bd1ca5042350c
                                                                                                                                                            • Instruction Fuzzy Hash: 5D01DF72A80324B7D7312E56DC0AF6F69549B11B52F474516FE04BF2C2E1799C10C2D9
                                                                                                                                                            Function 004133CE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SetEvent.KERNEL32(?,?,00000000,?,003F805E,?,?,?,?,?,?,?), ref: 004133EB
                                                                                                                                                            • GetLastError.KERNEL32(?,003F805E,?,?,?,?,?,?,?), ref: 004133F5
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorEventLast
                                                                                                                                                            • String ID: Failed to set log finished event.$Failed to wait for elevated logging thread.$d:\a\wix4\wix4\src\burn\user\core.cpp
                                                                                                                                                            • API String ID: 3848097054-817072838
                                                                                                                                                            • Opcode ID: 95767ed5b70187a895cfa58c45c478274c2b61cadb376574f3d683e8294a4a0d
                                                                                                                                                            • Instruction ID: 99d8035267988db46ec98be8efbf298fd67d5f88c2b9808723d153a2993307d1
                                                                                                                                                            • Opcode Fuzzy Hash: 95767ed5b70187a895cfa58c45c478274c2b61cadb376574f3d683e8294a4a0d
                                                                                                                                                            • Instruction Fuzzy Hash: 01014972B80739B3D2221A655C0BFABE54C9F40BA2F114233FE48BE2C1F3949D5141D9
                                                                                                                                                            Function 004162F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 48COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CoInitializeEx.OLE32(00000000,00000000), ref: 00416300
                                                                                                                                                            • CoUninitialize.OLE32(?,00419CE0,?,?), ref: 0041636B
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to initialize COM., xrefs: 0041630C
                                                                                                                                                            • Failed to pump messages in child process., xrefs: 00416347
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\elevation.cpp, xrefs: 0041631E, 00416359
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InitializeUninitialize
                                                                                                                                                            • String ID: Failed to initialize COM.$Failed to pump messages in child process.$d:\a\wix4\wix4\src\burn\user\elevation.cpp
                                                                                                                                                            • API String ID: 3442037557-3194279326
                                                                                                                                                            • Opcode ID: 7989e2fa1cf2e8166166b6bcdf96365146e78a8230627bf81da35a9817da6150
                                                                                                                                                            • Instruction ID: c18b3ea1f2fbf06174f16546bb1822433d5d567b8e43b1f646e40cca769751c2
                                                                                                                                                            • Opcode Fuzzy Hash: 7989e2fa1cf2e8166166b6bcdf96365146e78a8230627bf81da35a9817da6150
                                                                                                                                                            • Instruction Fuzzy Hash: 5A01A2B2B40318BBE711A6568C0BFDA3EA8DB05B50F110162FD05FB280E5A4D9508AEE
                                                                                                                                                            Function 0043E68E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,1490980C,?,?,00000000,0045D0D5,000000FF,?,0043E66A,?,?,0043E63E,00000000), ref: 0043E6C3
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0043E6D5
                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,0045D0D5,000000FF,?,0043E66A,?,?,0043E63E,00000000), ref: 0043E6F7
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                            • Opcode ID: cadb5d32c0fe722b6d69fbbe3b5e7b6c2b88b8c94bea53dfd100a956708aacf6
                                                                                                                                                            • Instruction ID: 6d2df21190f2a227419706f937302af4f0e6cc1a2c3aa628fe320b09d8ab21fc
                                                                                                                                                            • Opcode Fuzzy Hash: cadb5d32c0fe722b6d69fbbe3b5e7b6c2b88b8c94bea53dfd100a956708aacf6
                                                                                                                                                            • Instruction Fuzzy Hash: CA016771940729EFDB159F51CC45BAEB7B9FB44B15F00062AF815A26D0DB789900CA58
                                                                                                                                                            Function 004460E0 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 00446165
                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0044622E
                                                                                                                                                            • __freea.LIBCMT ref: 00446295
                                                                                                                                                              • Part of subcall function 0043F62C: HeapAlloc.KERNEL32(00000000,00441970,?,?,00441970,00000220,?,00000000,?), ref: 0043F65E
                                                                                                                                                            • __freea.LIBCMT ref: 004462A8
                                                                                                                                                            • __freea.LIBCMT ref: 004462B5
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1096550386-0
                                                                                                                                                            • Opcode ID: 7c1fa37999c484803a94bea6d39cf6c80d4a7bf0f24bb75c5c41128df00413ca
                                                                                                                                                            • Instruction ID: fa948b3302ed3574bdafc5da790486fbb328d9969a04c3edd2bb9b6d7170ac87
                                                                                                                                                            • Opcode Fuzzy Hash: 7c1fa37999c484803a94bea6d39cf6c80d4a7bf0f24bb75c5c41128df00413ca
                                                                                                                                                            • Instruction Fuzzy Hash: 9751B372600206BFFF206FA18C81DBB36A9EF86714F16046BFD04D6211E7B8DC50C66A
                                                                                                                                                            Function 0040E01B Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 151COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040E17D
                                                                                                                                                              • Part of subcall function 00455E1B: GetLastError.KERNEL32(?,?,0040E0CE,?,00000003,?,?), ref: 00455E3B
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                            • String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$d:\a\wix4\wix4\src\burn\user\cache.cpp
                                                                                                                                                            • API String ID: 1452528299-112932794
                                                                                                                                                            • Opcode ID: e6a36d95ca5bcb3815095c29ebe577f718f192244e3da73ebe29c985bff39e1d
                                                                                                                                                            • Instruction ID: 4c6128fe752bb91f34fb4dff50bbc676484697d4b9b8f03ed25be4d8ebcab5a8
                                                                                                                                                            • Opcode Fuzzy Hash: e6a36d95ca5bcb3815095c29ebe577f718f192244e3da73ebe29c985bff39e1d
                                                                                                                                                            • Instruction Fuzzy Hash: B141AA71A40615ABDB11DFA5CC85FAFB7B8AF08714F014526FA04FB281D678EC10CBA9
                                                                                                                                                            Function 00451A57 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 82COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                            • String ID: %lu.%lu.%lu.%lu$Failed to allocate and format the version string.$Failed to allocate memory for Verutil version from QWORD.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\verutil.cpp
                                                                                                                                                            • API String ID: 1357844191-3295944732
                                                                                                                                                            • Opcode ID: 47fd08140f50700652c5f52b5c441ecf2577c5f3f8efb532ea2abbd4ed762e25
                                                                                                                                                            • Instruction ID: 5430e973be46a2806a035c5cfc9ef5a0a7f5cbc07f7c230b34eda0ee67cdca4e
                                                                                                                                                            • Opcode Fuzzy Hash: 47fd08140f50700652c5f52b5c441ecf2577c5f3f8efb532ea2abbd4ed762e25
                                                                                                                                                            • Instruction Fuzzy Hash: 0B2107B1B403147BD7246F5A9CC6F6B7A9CEB88711F10456BFD089F347E2B8D84086A8
                                                                                                                                                            Function 0045BBF2 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 65COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000005,00000000,?,00000000,?,?,00457C49,?,00458702,?,00000000,HEAD,00000000,00000000,00458702), ref: 0045BC0A
                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,?,?,00457C49,?,00458702,?,00000000,HEAD,00000000,00000000,00458702,00000000,?), ref: 0045BC56
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                            • String ID: Failed to get content length string for internet file handle$Failed to parse size for internet file handle: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\inetutil.cpp
                                                                                                                                                            • API String ID: 1452528299-1743952032
                                                                                                                                                            • Opcode ID: 7add642fc0c84ba8ac12db274b43e7edaff69991ff694ce204b0b1929c9f0e00
                                                                                                                                                            • Instruction ID: 4f3d0fe9cee15526d6c846793aea7bfc045eea8037251d3bbd5c6ef8f0b6f33b
                                                                                                                                                            • Opcode Fuzzy Hash: 7add642fc0c84ba8ac12db274b43e7edaff69991ff694ce204b0b1929c9f0e00
                                                                                                                                                            • Instruction Fuzzy Hash: 1711CD33A40238B2D73266459C0BF7F6968DB45B51F110116BE48BE1C2D7658D0096E8
                                                                                                                                                            Function 00435051 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 58COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 00435061
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 004350E8
                                                                                                                                                            Strings
                                                                                                                                                            • user is active, cannot change user state., xrefs: 00435079
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\externaluser.cpp, xrefs: 0043508B
                                                                                                                                                            • Failed to set feed download URL., xrefs: 004350BC
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                            • String ID: user is active, cannot change user state.$Failed to set feed download URL.$d:\a\wix4\wix4\src\burn\user\externaluser.cpp
                                                                                                                                                            • API String ID: 3168844106-105427012
                                                                                                                                                            • Opcode ID: 754d6778c6dbc68a5d55c6554b6c81f04a60d37ff0cf345528d21fd0a66a2630
                                                                                                                                                            • Instruction ID: 99f3030871db3046af2298bd42c9b4c040b75afb150038e03721498b4eefa2cf
                                                                                                                                                            • Opcode Fuzzy Hash: 754d6778c6dbc68a5d55c6554b6c81f04a60d37ff0cf345528d21fd0a66a2630
                                                                                                                                                            • Instruction Fuzzy Hash: 0E010431780B1AB7E6296631CC49FEBB26CAB18751F200113F509EA180E6B5E90087F9
                                                                                                                                                            Function 003FA9CE Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 54COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 003FA9DA
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 003FAA62
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to get value of variable: %ls, xrefs: 003FAA14
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variable.cpp, xrefs: 003FAA52
                                                                                                                                                            • Failed to get value as version for variable: %ls, xrefs: 003FAA40
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                            • String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 3168844106-1616145386
                                                                                                                                                            • Opcode ID: 56d6721aa9f0bdf95fe29e1767b48dc01e19b49972cc6ca1d6384ae39ab736bf
                                                                                                                                                            • Instruction ID: 00b700239f6747c96c22c63f34edf3f344a027a2346179f442cc035b80bf67dc
                                                                                                                                                            • Opcode Fuzzy Hash: 56d6721aa9f0bdf95fe29e1767b48dc01e19b49972cc6ca1d6384ae39ab736bf
                                                                                                                                                            • Instruction Fuzzy Hash: DE010871980A28FFCF235F40CD09FAE3A689B14761F118151FB08AA1A2E774DD14D799
                                                                                                                                                            Function 003FA805 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 53COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 003FA811
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 003FA896
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to get value of variable: %ls, xrefs: 003FA84B
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variable.cpp, xrefs: 003FA886
                                                                                                                                                            • Failed to get value as numeric for variable: %ls, xrefs: 003FA874
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                            • String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 3168844106-1964378859
                                                                                                                                                            • Opcode ID: 63a1dfbdce4e178d66543f5a5b949de8e092fbc64b1535b308107566ba10fdfd
                                                                                                                                                            • Instruction ID: c83805fee2be56cd24fcd7491f4a4d05637394f68857d78b2deb3e1a05483dce
                                                                                                                                                            • Opcode Fuzzy Hash: 63a1dfbdce4e178d66543f5a5b949de8e092fbc64b1535b308107566ba10fdfd
                                                                                                                                                            • Instruction Fuzzy Hash: E601C8B1A40618FBDF235F80CC0AF9E3E54DB04BA5F114165FF08AA1A1D2B4DA119696
                                                                                                                                                            Function 003F15C8 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F15D8
                                                                                                                                                              • Part of subcall function 003F13DA: GetModuleHandleW.KERNEL32(kernel32,00000000,003F15E3,?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F13ED
                                                                                                                                                              • Part of subcall function 003F13DA: GetLastError.KERNEL32(?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F13F9
                                                                                                                                                            • SetDefaultDllDirectories.KERNELBASE ref: 003F15FA
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F1600
                                                                                                                                                            • SetDllDirectoryW.KERNEL32 ref: 003F161D
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F162B
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$DefaultDirectoriesDirectoryHandleHeapInformationModule
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2226491684-0
                                                                                                                                                            • Opcode ID: 59e0af7fef3e6d9d1289b792e18a84e2d92375bf1c2d31202adccd7b4c6d9c6f
                                                                                                                                                            • Instruction ID: c74a164df4120b35e6c0ec1a141cc95e112033c756f7689f7a343aabfca06f14
                                                                                                                                                            • Opcode Fuzzy Hash: 59e0af7fef3e6d9d1289b792e18a84e2d92375bf1c2d31202adccd7b4c6d9c6f
                                                                                                                                                            • Instruction Fuzzy Hash: 14019231501219EBDB266F12EC0997E7B29EF80B51B164075FD1997214C7309942DFA4
                                                                                                                                                            Function 003FA941 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 47COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,003FD253,00000000,?,feclient.dll,00000001,00000000,00000001,00000006,00000006,?,003FD44C,00000001), ref: 003FA94D
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(00000000,00000000,?,00000000,?,003FD253,00000000,?,feclient.dll,00000001,00000000,00000001,00000006,00000006,?,003FD44C), ref: 003FA9C1
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to get value of variable: %ls, xrefs: 003FA973
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variable.cpp, xrefs: 003FA9B1
                                                                                                                                                            • Failed to copy value of variable: %ls, xrefs: 003FA99F
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                            • String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 3168844106-3684767681
                                                                                                                                                            • Opcode ID: 8bcba8c627bda89437e513df1b4f4ca0e974552ea6c5fbbafa2ac65fca87c3fe
                                                                                                                                                            • Instruction ID: 3c56a27ba873a0b530c903bc55a17e195843eaa115b4b3b22ed9633381ead0ab
                                                                                                                                                            • Opcode Fuzzy Hash: 8bcba8c627bda89437e513df1b4f4ca0e974552ea6c5fbbafa2ac65fca87c3fe
                                                                                                                                                            • Instruction Fuzzy Hash: 8E018471A8062CBBDF126F44CD0AF9F7F689F04795F114021FE04A92A2E6B5DA109A95
                                                                                                                                                            Function 0040B9E9 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CloseHandle.KERNEL32(00057AF8,00000000,003F80B3,?,003F77FE,003F87BB,?,003F80B3,?,?,?,?), ref: 0040B9FC
                                                                                                                                                            • CloseHandle.KERNEL32(E8057400,00000000,003F80B3,?,003F77FE,003F87BB,?,003F80B3,?,?,?,?), ref: 0040BA0D
                                                                                                                                                            • CloseHandle.KERNEL32(FFFFF71C,00000000,003F80B3,?,003F77FE,003F87BB,?,003F80B3,?,?,?,?), ref: 0040BA1E
                                                                                                                                                            • CloseHandle.KERNEL32(BD830005,00000000,003F80B3,?,003F77FE,003F87BB,?,003F80B3,?,?,?,?), ref: 0040BA30
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                            • String ID: .#v@1#v
                                                                                                                                                            • API String ID: 2962429428-773301876
                                                                                                                                                            • Opcode ID: b61b418e1587f488213a27ee952a5e92ade21709a648720e35f5cf118b7a8676
                                                                                                                                                            • Instruction ID: f7882648cb4e95ff4243de5d2a675775c30bc8cbe171dd3b8517b51e8494d9ad
                                                                                                                                                            • Opcode Fuzzy Hash: b61b418e1587f488213a27ee952a5e92ade21709a648720e35f5cf118b7a8676
                                                                                                                                                            • Instruction Fuzzy Hash: F8015E30501B00DFC7329F15D804A57BBF0FF54712F004A3EE59661AA1C735AA84DF89
                                                                                                                                                            Function 0042E664 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(00000000,00000001,89504689,000000FF,?,000000FF,003F6DEA,00000000,003F6CF2,003F7162,003F6DEA,003F6EDE,00000000,00000000,003F6CF2,00000000), ref: 0042E6B7
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareString
                                                                                                                                                            • String ID: BA aborted detect forward compatible bundle.$Failed to compare bundle version '%ls' to related bundle version '%ls'$d:\a\wix4\wix4\src\burn\user\detect.cpp
                                                                                                                                                            • API String ID: 1825529933-3048877371
                                                                                                                                                            • Opcode ID: d13f9e29ae32d705e0236ae16caa40bc4ff3dc8c5981ecc22aa5561431644a26
                                                                                                                                                            • Instruction ID: 1d086dd36503719859ec7e76392e31e255979d9aa636ae1d645a26dce310b054
                                                                                                                                                            • Opcode Fuzzy Hash: d13f9e29ae32d705e0236ae16caa40bc4ff3dc8c5981ecc22aa5561431644a26
                                                                                                                                                            • Instruction Fuzzy Hash: 4041E131A00710FFEB21AFA69C41FAABBB9FF08304F50453EF655A2191D775A9608B54
                                                                                                                                                            Function 00410BBA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to copy provider key for compatible entry., xrefs: 00410C9E
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\dependency.cpp, xrefs: 00410CB0, 00410CF3
                                                                                                                                                            • Failed to get provider information for compatible package: %ls, xrefs: 00410CE1
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Failed to copy provider key for compatible entry.$Failed to get provider information for compatible package: %ls$d:\a\wix4\wix4\src\burn\user\dependency.cpp
                                                                                                                                                            • API String ID: 3535843008-4100048506
                                                                                                                                                            • Opcode ID: 68bf39b431e7a48febbc4fb6c7482ffc97ac649e7e31c1fc6eca55809112be84
                                                                                                                                                            • Instruction ID: d3683501f11bcd6b43147579e45d02825a646fb26169ed98548b46ed59523179
                                                                                                                                                            • Opcode Fuzzy Hash: 68bf39b431e7a48febbc4fb6c7482ffc97ac649e7e31c1fc6eca55809112be84
                                                                                                                                                            • Instruction Fuzzy Hash: 0B414171E4021AFFDB19DFA4DC81BEEB7B4BB04710F10426AF515E7280E2B499819F95
                                                                                                                                                            Function 00457BD8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79timeCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00457E27: lstrlenW.KERNEL32(?), ref: 00457EF4
                                                                                                                                                              • Part of subcall function 00457E27: lstrlenW.KERNEL32(00000000), ref: 00457F0A
                                                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000000,?,00458702,?,00000000,HEAD,00000000,00000000,00458702,00000000,?,?,00000000,00000000), ref: 00457C79
                                                                                                                                                            Strings
                                                                                                                                                            • HEAD, xrefs: 00457C08
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp, xrefs: 00457C30
                                                                                                                                                            • Failed to connect to URL: %ls, xrefs: 00457C21
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Timelstrlen$FileSystem
                                                                                                                                                            • String ID: Failed to connect to URL: %ls$HEAD$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                            • API String ID: 3954044709-1251758901
                                                                                                                                                            • Opcode ID: 543e3473642128580b32254486fb5ce40ee403ce98ac9a1cd43a194ed1ef4e0d
                                                                                                                                                            • Instruction ID: 28729027cc22fac4e14c5b17d0ac7285ee1a04992d5400493c997aec1cb0e8ca
                                                                                                                                                            • Opcode Fuzzy Hash: 543e3473642128580b32254486fb5ce40ee403ce98ac9a1cd43a194ed1ef4e0d
                                                                                                                                                            • Instruction Fuzzy Hash: 73218BB1900219FFDB169F84DD46DAFBBB9EF04301F10416AFC00A6252D7B4DE049BA5
                                                                                                                                                            Function 0045666D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 00456717
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 0045669E, 004566F8
                                                                                                                                                            • Failed to open policy key: %ls, name: %ls, xrefs: 004566EC
                                                                                                                                                            • Failed to open policy key: %ls, xrefs: 00456692
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Failed to open policy key: %ls$Failed to open policy key: %ls, name: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
                                                                                                                                                            • API String ID: 3535843008-3938230626
                                                                                                                                                            • Opcode ID: d2091198b07526da348dfd1099bc2471a01f7ccd0dbf96e40c8a2b10d461b7f3
                                                                                                                                                            • Instruction ID: 22170e2b4ca84f9a375d6f1043f82fc8ef0739e1e3f35c7e07d6c2cd30eeb54b
                                                                                                                                                            • Opcode Fuzzy Hash: d2091198b07526da348dfd1099bc2471a01f7ccd0dbf96e40c8a2b10d461b7f3
                                                                                                                                                            • Instruction Fuzzy Hash: F0210B32640229FBDB216ED18C86F9F7A68DB08755F534027FE0467152D2B88D24D7D9
                                                                                                                                                            Function 0044CCD3 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,?,0040828D,?,Resume,00000000,?,?,00000001,?,00000000,00000000,00000024), ref: 0044CD06
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: QueryValue
                                                                                                                                                            • String ID: Error reading version registry value due to unexpected data type: %u$Failed to query registry key value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 3660427363-2246233778
                                                                                                                                                            • Opcode ID: 17c4c19115e8dfc365a6b1a157265c4760e1e9e96049d70ff0225541c7b03e90
                                                                                                                                                            • Instruction ID: b353d963847dd221abcea1f7168822af2a8089b64f9b6e0c632f2df562d1196e
                                                                                                                                                            • Opcode Fuzzy Hash: 17c4c19115e8dfc365a6b1a157265c4760e1e9e96049d70ff0225541c7b03e90
                                                                                                                                                            • Instruction Fuzzy Hash: 2C112CB2D0114CB7FB116A419C89EAF7E6DCBC5750F29443BFA00AB241E5784E0286B8
                                                                                                                                                            Function 004540F8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,?,00000000,000000FF,00000000,000000FF,00000000,?,00461D1C,00000000,00000000,00000000,00000000,00000000), ref: 0045418A
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dictutil.cpp, xrefs: 00454121
                                                                                                                                                            • Failed to hash the string., xrefs: 0045414D
                                                                                                                                                            • Invalid dictionary - bucket size index is out of range, xrefs: 0045410D
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareString
                                                                                                                                                            • String ID: Failed to hash the string.$Invalid dictionary - bucket size index is out of range$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dictutil.cpp
                                                                                                                                                            • API String ID: 1825529933-1798595610
                                                                                                                                                            • Opcode ID: 067b664a0883c9e1d28887ef0caf27616ab6167a3ef32b7fa4c4c673becc031b
                                                                                                                                                            • Instruction ID: 302238bfdcdb582f35b6392cf6f6bde116bf1267a5ec3e89211a6740a1a94b27
                                                                                                                                                            • Opcode Fuzzy Hash: 067b664a0883c9e1d28887ef0caf27616ab6167a3ef32b7fa4c4c673becc031b
                                                                                                                                                            • Instruction Fuzzy Hash: 68213A31640A05FBCB10CF88DC89F5EB764FB51729F200216F9109F291C778E990CBA8
                                                                                                                                                            Function 00457545 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcess.KERNEL32(003F6EDE,003F6DEA,003F6DA2,8351EC8B,5300FC65,F6B70F0B,003F6DEA,003F6D72,003F7172,003F6D72,003F6ECA,003F6EDE,003F7162,003F6DEA,003F6EDE,00000000), ref: 00457556
                                                                                                                                                              • Part of subcall function 0044BFC9: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,003F6E9A,00000001,003F6DEA,?,?,?,00457562,00000000), ref: 0044BFE1
                                                                                                                                                              • Part of subcall function 0044BFC9: GetProcAddress.KERNEL32(00000000), ref: 0044BFE8
                                                                                                                                                              • Part of subcall function 0044BFC9: GetLastError.KERNEL32(?,?,?,00457562,00000000), ref: 0044C010
                                                                                                                                                              • Part of subcall function 0045729B: RegCloseKey.ADVAPI32(00000000,00020019,?,?,003F6E9A,00000001,003F6DEA), ref: 00457376
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to query 32-bit related bundles., xrefs: 004575B6
                                                                                                                                                            • Failed to query 64-bit related bundles., xrefs: 004575E3
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp, xrefs: 004575F2
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
                                                                                                                                                            • String ID: Failed to query 32-bit related bundles.$Failed to query 64-bit related bundles.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp
                                                                                                                                                            • API String ID: 3109562764-3570192855
                                                                                                                                                            • Opcode ID: f5b5b1e2a254827c4a58f155c7f25c58095b80b86b97f3f5c40c1861847247ba
                                                                                                                                                            • Instruction ID: 0cb378cb8d04c2af119a6155ecc02a2913595844152911f6229b6ac3b452f51f
                                                                                                                                                            • Opcode Fuzzy Hash: f5b5b1e2a254827c4a58f155c7f25c58095b80b86b97f3f5c40c1861847247ba
                                                                                                                                                            • Instruction Fuzzy Hash: D821D4B4E01228AFCB51DFA8D845BCEBBF4AB08755F114166FC05F7341E3749A408B94
                                                                                                                                                            Function 0044D664 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 0044CBC2: RegOpenKeyExW.KERNELBASE(?,0044CBBE,00000000,00000000,00000003,00000000,?,?,00456603,80000002,00000000,00020019,00000000,00000000,SOFTWARE\Policies\,00000000), ref: 0044CBED
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00020019,00000000,00000000,00000000,?,?,?,0040713E,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending,00000000,00000000,80000002), ref: 0044D707
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 0044D6B3, 0044D6F0
                                                                                                                                                            • Failed to read value type: %ls/@%ls, xrefs: 0044D6E1
                                                                                                                                                            • Failed to open key: %ls, xrefs: 0044D6A4
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseOpen
                                                                                                                                                            • String ID: Failed to open key: %ls$Failed to read value type: %ls/@%ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 47109696-3852982929
                                                                                                                                                            • Opcode ID: 928d0b1668fec6db3ef01e4b45a098c522718700b51469cb24502c74b813d5cb
                                                                                                                                                            • Instruction ID: 3daf7da375050051e47ddab01a13786def596a1786ce4bad802099d68c8dc59b
                                                                                                                                                            • Opcode Fuzzy Hash: 928d0b1668fec6db3ef01e4b45a098c522718700b51469cb24502c74b813d5cb
                                                                                                                                                            • Instruction Fuzzy Hash: F811EB32E40228BBEF226E84CD0AFAE7A68DB08715F154156FE047A191D2B95E10A7D9
                                                                                                                                                            Function 00405CD4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,00000000,000000FF,IGNOREDEPENDENCIES,00000000,00000000,?,?,004103A0,00000000,IGNOREDEPENDENCIES,00000000,00000000), ref: 00405D26
                                                                                                                                                            Strings
                                                                                                                                                            • IGNOREDEPENDENCIES, xrefs: 00405CDD
                                                                                                                                                            • Failed to copy the property value., xrefs: 00405D5A
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\package.cpp, xrefs: 00405D6C
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareString
                                                                                                                                                            • String ID: Failed to copy the property value.$IGNOREDEPENDENCIES$d:\a\wix4\wix4\src\burn\user\package.cpp
                                                                                                                                                            • API String ID: 1825529933-2032719239
                                                                                                                                                            • Opcode ID: 91590ac7bb90bdc7b44c22c771e900d71edbe2bfc896d6dc438ce3d952178dcb
                                                                                                                                                            • Instruction ID: a329a6670202dbbc7fb041b0f39dca7611980324ab475605db70cb1cc7e835c6
                                                                                                                                                            • Opcode Fuzzy Hash: 91590ac7bb90bdc7b44c22c771e900d71edbe2bfc896d6dc438ce3d952178dcb
                                                                                                                                                            • Instruction Fuzzy Hash: 3611E631600618BBDB119B848C8DFDBB2A1EF04720F314277F714BB2D1E2749810CA99
                                                                                                                                                            Function 00436155 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62synchronizationCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • WaitForSingleObject.KERNEL32(0045E860,000000FF,00000000,00000002,?,?,004363B6,00000000,?,?,?), ref: 00436165
                                                                                                                                                            • ReleaseMutex.KERNEL32(0045E860,?,004363B6,00000000,?,?,?), ref: 004361FB
                                                                                                                                                              • Part of subcall function 003F540B: GetProcessHeap.KERNEL32(?,?,?,0041DDCD,?,00000000), ref: 003F541C
                                                                                                                                                              • Part of subcall function 003F540B: RtlAllocateHeap.NTDLL(00000000,?,0041DDCD,?,00000000), ref: 003F5423
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
                                                                                                                                                            • String ID: Failed to allocate memory for message data$d:\a\wix4\wix4\src\burn\user\netfxchainer.cpp
                                                                                                                                                            • API String ID: 2993511968-954368992
                                                                                                                                                            • Opcode ID: d400b2935d4e4161a4679b16c8ce2e138ee725a0633728197be52b475d7657d4
                                                                                                                                                            • Instruction ID: aaac679c7d6bdd78bdbcbae8160bff48fe3aedf7580b79abde7c0e2c2b0bff28
                                                                                                                                                            • Opcode Fuzzy Hash: d400b2935d4e4161a4679b16c8ce2e138ee725a0633728197be52b475d7657d4
                                                                                                                                                            • Instruction Fuzzy Hash: 7A1184B1300216BFD7158F25DC85F6AB7A8FF09724F104565FA189F392C371A820CB94
                                                                                                                                                            Function 00432C64 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 0045343B: FindFirstFileW.KERNEL32(003F6DEA,?,003F6DEA,003F6DEA,00000000), ref: 00453476
                                                                                                                                                              • Part of subcall function 0045343B: FindClose.KERNEL32(00000000), ref: 00453482
                                                                                                                                                            • SetFileAttributesW.KERNEL32(004302EC,?,004302EC,?,0045E908,?,?,004302EC,?,?,?,?,00000000,00000000), ref: 00432C93
                                                                                                                                                            • GetLastError.KERNEL32(?,?,004302EC,?,?,?,?,00000000,00000000), ref: 00432C9D
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileFind$AttributesCloseErrorFirstLast
                                                                                                                                                            • String ID: Failed to clear readonly bit on payload destination path: %ls$d:\a\wix4\wix4\src\burn\user\apply.cpp
                                                                                                                                                            • API String ID: 1980345056-600630982
                                                                                                                                                            • Opcode ID: e293086d8407f39250b84b90e6339a2f3aa3ca9016a12870ab5834ef923ede7b
                                                                                                                                                            • Instruction ID: 92d62648b80624d28c6be7814e0bbeffc19c63d598a397299b7647bc0012a537
                                                                                                                                                            • Opcode Fuzzy Hash: e293086d8407f39250b84b90e6339a2f3aa3ca9016a12870ab5834ef923ede7b
                                                                                                                                                            • Instruction Fuzzy Hash: B2114873E01239B7DB2256559E05BBF796CDB08BA0F119127FC04AB351D2ACCE0185E8
                                                                                                                                                            Function 004090C9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,003F6DA2,00000002,00000001,00000000,00000000,?,?,?,?,?,?,00412F8D,003F6DA2,00000001,00000001), ref: 0040997D
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to cache bundle from path: %ls, xrefs: 004090E3
                                                                                                                                                            • Failed to create registration key., xrefs: 0040912A
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\registration.cpp, xrefs: 004090F5, 00409959
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Failed to cache bundle from path: %ls$Failed to create registration key.$d:\a\wix4\wix4\src\burn\user\registration.cpp
                                                                                                                                                            • API String ID: 3535843008-2361216137
                                                                                                                                                            • Opcode ID: d159e3abde16d676ec175aa13ef40b3d3183c23310a929b8d25dcf9eaa0642dd
                                                                                                                                                            • Instruction ID: a3784603899a904ca88cc80d49c49e1d88ec3417e58f3a96f168a159522c07e7
                                                                                                                                                            • Opcode Fuzzy Hash: d159e3abde16d676ec175aa13ef40b3d3183c23310a929b8d25dcf9eaa0642dd
                                                                                                                                                            • Instruction Fuzzy Hash: 91110632A40225BBEF129A91DC46FBF7A259B04714F000167FB00B91D2E6B5CC10CAA5
                                                                                                                                                            Function 004503DA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004500B5: SysAllocString.OLEAUT32(00000000), ref: 004500C9
                                                                                                                                                              • Part of subcall function 004500B5: VariantInit.OLEAUT32(?), ref: 004500D5
                                                                                                                                                              • Part of subcall function 004500B5: VariantClear.OLEAUT32(?), ref: 004501C4
                                                                                                                                                              • Part of subcall function 004500B5: SysFreeString.OLEAUT32(00000000), ref: 004501CF
                                                                                                                                                            • SysFreeString.OLEAUT32(00000001), ref: 00450466
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to treat attribute value as UInt64., xrefs: 00450435
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 0045040B
                                                                                                                                                            • failed XmlGetAttribute, xrefs: 004503FC
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: String$FreeVariant$AllocClearInit
                                                                                                                                                            • String ID: Failed to treat attribute value as UInt64.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed XmlGetAttribute
                                                                                                                                                            • API String ID: 3379191133-2593243594
                                                                                                                                                            • Opcode ID: c7bf561e36d47a859d0a7320f7a814449f6fdcd2effb701d4518e5e2432a849c
                                                                                                                                                            • Instruction ID: 40907eb5bb9f84823da7f65aa54e2da82133dc01b364309db5a27bfc235f6924
                                                                                                                                                            • Opcode Fuzzy Hash: c7bf561e36d47a859d0a7320f7a814449f6fdcd2effb701d4518e5e2432a849c
                                                                                                                                                            • Instruction Fuzzy Hash: 3E118F74E41318BFDB119F94CC81AAEBBB8EB05746F1080A6FE01AB342D275CE049B95
                                                                                                                                                            Function 004534CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ReadFile.KERNEL32(00000004,00000004,?,?,00000000,?,00000000,00000000,?,?,0040C427,?,?,00000004,?,00000004), ref: 004534F1
                                                                                                                                                            • GetLastError.KERNEL32(?,?,0040C427,?,?,00000004,?,00000004,00000004,?,?,00000004,?,00000004,00000004), ref: 004534FB
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastRead
                                                                                                                                                            • String ID: Failed to read data from file handle.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                            • API String ID: 1948546556-2736598211
                                                                                                                                                            • Opcode ID: 22ef2b590384ccac01164e44363ac2b2d8cde7fdd22cfea9bb869e90217c7f55
                                                                                                                                                            • Instruction ID: fa2a2cc2e06b32b6f405de2b76e76965649b111fa836f7ba8aa1d3f74d54984e
                                                                                                                                                            • Opcode Fuzzy Hash: 22ef2b590384ccac01164e44363ac2b2d8cde7fdd22cfea9bb869e90217c7f55
                                                                                                                                                            • Instruction Fuzzy Hash: 9F010833A0013CBBD3119E99DC45BAFB62C9B40B97F014026FE04B7241F268AF0452E8
                                                                                                                                                            Function 0044CAFE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 0044CBC2: RegOpenKeyExW.KERNELBASE(?,0044CBBE,00000000,00000000,00000003,00000000,?,?,00456603,80000002,00000000,00020019,00000000,00000000,SOFTWARE\Policies\,00000000), ref: 0044CBED
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00020019,00000000,00000000,00000000,?,?,00407102,80000002,SOFTWARE\Microsoft\ServerManager,CurrentRebootAttempts,00000000,003F6EDE,00000000), ref: 0044CB9B
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 0044CB48, 0044CB84
                                                                                                                                                            • Failed to read value: %ls/@%ls, xrefs: 0044CB75
                                                                                                                                                            • Failed to open key: %ls, xrefs: 0044CB39
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseOpen
                                                                                                                                                            • String ID: Failed to open key: %ls$Failed to read value: %ls/@%ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 47109696-2566192520
                                                                                                                                                            • Opcode ID: fa3fefbddb4e078c7aee5781433085e5a049bd6fe6e7b8e62c50f95ca525dad0
                                                                                                                                                            • Instruction ID: cde11cfef76b85922890c5128f04f6ef579bb939841f9a1d78af39c469dff362
                                                                                                                                                            • Opcode Fuzzy Hash: fa3fefbddb4e078c7aee5781433085e5a049bd6fe6e7b8e62c50f95ca525dad0
                                                                                                                                                            • Instruction Fuzzy Hash: EC112C36941268B7FF226E80DD87F9E7A24DB04714F184012FF0475291D2B94E10B7D9
                                                                                                                                                            Function 003F7337 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • IsWindow.USER32(?), ref: 003F7385
                                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003F7398
                                                                                                                                                            Strings
                                                                                                                                                            • Failed while running , xrefs: 003F7345
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\user.cpp, xrefs: 003F7357
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: MessagePostWindow
                                                                                                                                                            • String ID: Failed while running $d:\a\wix4\wix4\src\burn\user\user.cpp
                                                                                                                                                            • API String ID: 3618638489-2348268852
                                                                                                                                                            • Opcode ID: 04da1d335a4be054f9225d24713d8df8323d07b2131fe12162b58719731ebdd9
                                                                                                                                                            • Instruction ID: d9e628853dbb1e4f81515153a51e7a31a5063db94226f9894bf3bad18d10b124
                                                                                                                                                            • Opcode Fuzzy Hash: 04da1d335a4be054f9225d24713d8df8323d07b2131fe12162b58719731ebdd9
                                                                                                                                                            • Instruction Fuzzy Hash: 7711A57190060DBADB13ABA5CC46FBFB7B8AF00715F100127FA00E5091E774DA90EB94
                                                                                                                                                            Function 003F97A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 003F97B5
                                                                                                                                                              • Part of subcall function 0044BFC9: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,003F6E9A,00000001,003F6DEA,?,?,?,00457562,00000000), ref: 0044BFE1
                                                                                                                                                              • Part of subcall function 0044BFC9: GetProcAddress.KERNEL32(00000000), ref: 0044BFE8
                                                                                                                                                              • Part of subcall function 0044BFC9: GetLastError.KERNEL32(?,?,?,00457562,00000000), ref: 0044C010
                                                                                                                                                              • Part of subcall function 003F8AA9: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020019,00000002,00000000), ref: 003F8B61
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variable.cpp, xrefs: 003F9811
                                                                                                                                                            • Failed to set variant value., xrefs: 003F97FF
                                                                                                                                                            • Failed to get 64-bit folder., xrefs: 003F97D8
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
                                                                                                                                                            • String ID: Failed to get 64-bit folder.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 3109562764-867371702
                                                                                                                                                            • Opcode ID: 94555e3d4c17b38e4d8195d7ef843489fb1a01b88dc928a19a154f1863e774db
                                                                                                                                                            • Instruction ID: 7e9022559f410de02fe8299c25b7d03de81d08e1b6e3fbe397b69f96eb0a8ccd
                                                                                                                                                            • Opcode Fuzzy Hash: 94555e3d4c17b38e4d8195d7ef843489fb1a01b88dc928a19a154f1863e774db
                                                                                                                                                            • Instruction Fuzzy Hash: 8E019671E4021CBADF23AB95CC06FEFBA6CEF41B50F114167F604FA191E6B09A409694
                                                                                                                                                            Function 0042996C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55serviceCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ControlService.ADVAPI32(0042984C,00000001,?,00000000,00000000,?,?,?,?,?,?,0042984C,00000000), ref: 00429994
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,0042984C,00000000), ref: 0042999E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ControlErrorLastService
                                                                                                                                                            • String ID: Failed to stop wusa service.$d:\a\wix4\wix4\src\burn\user\msuuser.cpp
                                                                                                                                                            • API String ID: 4114567744-2199517983
                                                                                                                                                            • Opcode ID: ae3737c4a0a71e9eb318933116430f9d3ca2d6f51e1b508c35c673447c455919
                                                                                                                                                            • Instruction ID: badce0da07f4628d882b15e3119bb37ddb9386bf07cfcdb49167f824dde0aec8
                                                                                                                                                            • Opcode Fuzzy Hash: ae3737c4a0a71e9eb318933116430f9d3ca2d6f51e1b508c35c673447c455919
                                                                                                                                                            • Instruction Fuzzy Hash: A001DD72B0123877E7109A55AC45FBFB6AC9B49B64F42412AFD04FB380D668DD4045E9
                                                                                                                                                            Function 00453B63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetFileSizeEx.KERNEL32(00000000,00000000,?,00000000,?,?,?,003FE202,0100147D,?,?,00000000,00000000), ref: 00453B7B
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,003FE202,0100147D,?,?,00000000,00000000,?,?,?,003F6C5C,00000000,003F6570), ref: 00453B85
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastSize
                                                                                                                                                            • String ID: Failed to get size of file.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                            • API String ID: 464720113-3816715765
                                                                                                                                                            • Opcode ID: c898ea0ae35e9b7578a6613c14675c9e5b398ff6bf577caefe8a11c5c2f22257
                                                                                                                                                            • Instruction ID: 3bb7d9b7b24388ea37f000eb7459690ca1f5325a6d8bdcca9ab2892d78d0ff47
                                                                                                                                                            • Opcode Fuzzy Hash: c898ea0ae35e9b7578a6613c14675c9e5b398ff6bf577caefe8a11c5c2f22257
                                                                                                                                                            • Instruction Fuzzy Hash: 450175B290162ABBD7115F45DC45A6FBBACDF44755F014116BD04A7342E274EE0087E4
                                                                                                                                                            Function 00450474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 00450489
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 004504DB
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: String$AllocFree
                                                                                                                                                            • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed SysAllocString
                                                                                                                                                            • API String ID: 344208780-608482133
                                                                                                                                                            • Opcode ID: f5ad644f3834d6e87fa4a22aef4dc6ede3c2190907c445661805b69ed9d2a797
                                                                                                                                                            • Instruction ID: a130e878cca07fcf674fe2756f58a2d99efc07b5b8e9b33629a633ab10f4a206
                                                                                                                                                            • Opcode Fuzzy Hash: f5ad644f3834d6e87fa4a22aef4dc6ede3c2190907c445661805b69ed9d2a797
                                                                                                                                                            • Instruction Fuzzy Hash: 9B01F735540224B7C7221E059C48F6F7AACEB85B62F154027FD04A7352D778CD0186E5
                                                                                                                                                            Function 003F1839 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50libraryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F13DA: GetModuleHandleW.KERNEL32(kernel32,00000000,003F15E3,?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F13ED
                                                                                                                                                              • Part of subcall function 003F13DA: GetLastError.KERNEL32(?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F13F9
                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000800,00000000,?,003F1645,?,?,?,?,?,?,003F115A,cabinet.dll,00000009,?), ref: 003F1855
                                                                                                                                                            • GetLastError.KERNEL32(?,003F1645,?,?,?,?,?,?,003F115A,cabinet.dll,00000009,?,?,00000000), ref: 003F1866
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to get load library with LOAD_LIBRARY_SEARCH_SYSTEM32., xrefs: 003F1893
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp, xrefs: 003F1888, 003F188D, 003F189F
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$HandleLibraryLoadModule
                                                                                                                                                            • String ID: Failed to get load library with LOAD_LIBRARY_SEARCH_SYSTEM32.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp
                                                                                                                                                            • API String ID: 4252302101-2751505537
                                                                                                                                                            • Opcode ID: b4620dea5edbea6ade1b7625196be6f557d1ef779523bfc3b0134458f57212c2
                                                                                                                                                            • Instruction ID: d0df5f43c9f2bc4902e7ac746dd301066ef04fcb9a0c34cb23163547ca54db93
                                                                                                                                                            • Opcode Fuzzy Hash: b4620dea5edbea6ade1b7625196be6f557d1ef779523bfc3b0134458f57212c2
                                                                                                                                                            • Instruction Fuzzy Hash: 0101F776A4113CF7D7235A56AD05F7F7A589B01BE1F014135FF08AF291E6608C0087D4
                                                                                                                                                            Function 00405766 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 00405793
                                                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 004057BA
                                                                                                                                                            • GetLastError.KERNEL32 ref: 004057C4
                                                                                                                                                            Strings
                                                                                                                                                            • BootstrapperApplicationDestroy, xrefs: 0040578B
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressErrorFreeLastLibraryProc
                                                                                                                                                            • String ID: BootstrapperApplicationDestroy
                                                                                                                                                            • API String ID: 1144718084-3186005537
                                                                                                                                                            • Opcode ID: 3b0f8cbb40c97b3ef43f8e27bcb2c57a0f33b7c81bf37a0df7c9ff79484a9840
                                                                                                                                                            • Instruction ID: c613755ed2af6c2f258d35b1732cca72204b1bab1744bc2b2f1c4f17e14e57eb
                                                                                                                                                            • Opcode Fuzzy Hash: 3b0f8cbb40c97b3ef43f8e27bcb2c57a0f33b7c81bf37a0df7c9ff79484a9840
                                                                                                                                                            • Instruction Fuzzy Hash: 0701AD32900629EBCB108F96D844A5FFBB8FB04722F20813BE815A3690D734DA008FD4
                                                                                                                                                            Function 0044D789 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegSetValueExW.ADVAPI32(?,00407A20,003F6CF2,EstimatedSize,000000FF,003F6CF2,00000000,?,00409AF0,00000000,00000390,000000F8,003F6CF2,004131C1,00000000,00000000), ref: 0044D7AD
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value
                                                                                                                                                            • String ID: EstimatedSize$Failed to set %ls value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 3702945584-416555833
                                                                                                                                                            • Opcode ID: f8c524d6f693f22fe9a6e6111d3f0af141add0677d236de521d5735297b91acd
                                                                                                                                                            • Instruction ID: 3ccf82ac02eb92545be37c1c6edfa611ea84a4655d3c25dce4757bd15780233e
                                                                                                                                                            • Opcode Fuzzy Hash: f8c524d6f693f22fe9a6e6111d3f0af141add0677d236de521d5735297b91acd
                                                                                                                                                            • Instruction Fuzzy Hash: E4F0F476600119B7F71029465C09FAF6A5DDBC5B60F05442AFB049B291E6788C0286B8
                                                                                                                                                            Function 0045003B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SysAllocString.OLEAUT32(003F7D5B), ref: 00450050
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 004500A0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: String$AllocFree
                                                                                                                                                            • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed SysAllocString
                                                                                                                                                            • API String ID: 344208780-608482133
                                                                                                                                                            • Opcode ID: 6b72322797f2b8eb3aa442db55bbad637b1acff52749493b6447a6c80d985f49
                                                                                                                                                            • Instruction ID: 74f3959895988fa66be63e8a07c64c714bb0e2a1200d6a6df927af2a244fbba9
                                                                                                                                                            • Opcode Fuzzy Hash: 6b72322797f2b8eb3aa442db55bbad637b1acff52749493b6447a6c80d985f49
                                                                                                                                                            • Instruction Fuzzy Hash: E501F235640724B7D7322E00AC0CF6F76A89B80F62F15402AFD086B392D7A9DD0186D9
                                                                                                                                                            Function 00451185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringOrdinal.KERNEL32(00000000,00000009,00000008,0000000D,00000001,00000000,00000001,?,00451359,00000000,000000FF,00000000,000000FF,00000000,00000001,00000014), ref: 0045119A
                                                                                                                                                            • GetLastError.KERNEL32(?,00451359,00000000,000000FF,00000000,000000FF,00000000,00000001,00000014,00000015,00000010,00000011,0000000C,0000000D,00000008,00000009), ref: 004511A6
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareErrorLastOrdinalString
                                                                                                                                                            • String ID: Failed to compare version substrings$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\verutil.cpp
                                                                                                                                                            • API String ID: 2427233125-1336685116
                                                                                                                                                            • Opcode ID: dcf9bf2111276b77b4d5f81a875001f9a32bd0dd69a0b3398f1c14cec29700fc
                                                                                                                                                            • Instruction ID: bc8b0ee5b987f99f70310b9ee478f16157d1df51d481e8fa0e4dd4c828bc35d5
                                                                                                                                                            • Opcode Fuzzy Hash: dcf9bf2111276b77b4d5f81a875001f9a32bd0dd69a0b3398f1c14cec29700fc
                                                                                                                                                            • Instruction Fuzzy Hash: 3DF0493654032977DB221E86AC0AF9B7F1CEF587A1F014512FE086A292D675C81086D4
                                                                                                                                                            Function 0045050F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004501DE: VariantInit.OLEAUT32(?), ref: 004501F5
                                                                                                                                                              • Part of subcall function 004501DE: VariantClear.OLEAUT32(?), ref: 00450340
                                                                                                                                                              • Part of subcall function 004501DE: SysFreeString.OLEAUT32(00000000), ref: 0045034B
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,yes,000000FF,003F7D9B,?,00000000,00000000,?,?,003FBB5B,003F7D9B,Hidden,?), ref: 00450563
                                                                                                                                                            Strings
                                                                                                                                                            • yes, xrefs: 00450555
                                                                                                                                                            • Failed to get attribute., xrefs: 00450535
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 00450544
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: StringVariant$ClearCompareFreeInit
                                                                                                                                                            • String ID: Failed to get attribute.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$yes
                                                                                                                                                            • API String ID: 2896382772-315762043
                                                                                                                                                            • Opcode ID: b8c16323386788898abfc484126db271145e229862b949297efe92480b6bc157
                                                                                                                                                            • Instruction ID: 87dad9baeb43a02b45718fe07eb66d2cf1e1eb3189b3edea375c78bc84b520f5
                                                                                                                                                            • Opcode Fuzzy Hash: b8c16323386788898abfc484126db271145e229862b949297efe92480b6bc157
                                                                                                                                                            • Instruction Fuzzy Hash: 77012B3199021CBBDB11EEA4CC0AF9E7A649B01766F204311BD10B61D1D6788B04DB98
                                                                                                                                                            Function 004005D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,BundleExtensionDestroy), ref: 00400603
                                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 0040061E
                                                                                                                                                            • GetLastError.KERNEL32 ref: 00400628
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressErrorFreeLastLibraryProc
                                                                                                                                                            • String ID: BundleExtensionDestroy
                                                                                                                                                            • API String ID: 1144718084-3206861012
                                                                                                                                                            • Opcode ID: 2cf65d4cbf430cd62c43bae9dbbf7c73f6a8ab4b5bea988d41d68fcd56d6aa3b
                                                                                                                                                            • Instruction ID: 5ac107e09705116c181e147026b541e4b4b54ec56f761766c52887028dbae036
                                                                                                                                                            • Opcode Fuzzy Hash: 2cf65d4cbf430cd62c43bae9dbbf7c73f6a8ab4b5bea988d41d68fcd56d6aa3b
                                                                                                                                                            • Instruction Fuzzy Hash: DD015A31500601EFDB149F66CC8875ABBA9FB80306F10887AE416A3290E779EA91CA58
                                                                                                                                                            Function 003F9720 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000), ref: 003F9730
                                                                                                                                                              • Part of subcall function 0044BCAF: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0044BCD0
                                                                                                                                                              • Part of subcall function 0044BCAF: GetLastError.KERNEL32 ref: 0044BCDA
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variable.cpp, xrefs: 003F9757, 003F978C
                                                                                                                                                            • Failed to set variant value., xrefs: 003F977A
                                                                                                                                                            • Failed to check if process token has privilege: %ls., xrefs: 003F9745
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentErrorLastLookupPrivilegeProcessValue
                                                                                                                                                            • String ID: Failed to check if process token has privilege: %ls.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 3865200005-2747678004
                                                                                                                                                            • Opcode ID: f7951964a7e8e6b5500cc04f8ad132ea8f3cf681ecb49089fb9587a2bb80a395
                                                                                                                                                            • Instruction ID: fd7a0e35c783b916e92063ed3b1bbf430e77f0e0de956391186db9a68b1fb239
                                                                                                                                                            • Opcode Fuzzy Hash: f7951964a7e8e6b5500cc04f8ad132ea8f3cf681ecb49089fb9587a2bb80a395
                                                                                                                                                            • Instruction Fuzzy Hash: ECF0F4B2A80318B6EB12BA819C07FEE395CDB00B94F104152BB04EA190E6A4DA1057E5
                                                                                                                                                            Function 003F9430 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 003F943F
                                                                                                                                                              • Part of subcall function 0044BD94: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,003F944B,00000000), ref: 0044BDA7
                                                                                                                                                              • Part of subcall function 0044BD94: GetProcAddress.KERNEL32(00000000), ref: 0044BDAE
                                                                                                                                                              • Part of subcall function 0044BD94: GetLastError.KERNEL32(?,?,?,?,003F944B,00000000), ref: 0044BDD8
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variable.cpp, xrefs: 003F9491
                                                                                                                                                            • Failed to set variant value., xrefs: 003F947F
                                                                                                                                                            • Failed to get native machine value., xrefs: 003F9451
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressCurrentErrorHandleLastModuleProcProcess
                                                                                                                                                            • String ID: Failed to get native machine value.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 896058289-3337725491
                                                                                                                                                            • Opcode ID: c54513f6b582b80951cef302adc4b4279451df86753e4f708ea3b839e533f025
                                                                                                                                                            • Instruction ID: b6e843dcaa6f679ba6a067a4d003c83fd8ce5f3b0b80d93052dc84e0459d4ff3
                                                                                                                                                            • Opcode Fuzzy Hash: c54513f6b582b80951cef302adc4b4279451df86753e4f708ea3b839e533f025
                                                                                                                                                            • Instruction Fuzzy Hash: 93F0F6B2F8432872DB23E6968C0AFEF655C8B11B50F110153BA44FA1D0F694DD0086D5
                                                                                                                                                            Function 003F716A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004005D5: GetProcAddress.KERNEL32(00000000,BundleExtensionDestroy), ref: 00400603
                                                                                                                                                              • Part of subcall function 004005D5: FreeLibrary.KERNEL32(00000000), ref: 0040061E
                                                                                                                                                              • Part of subcall function 004005D5: GetLastError.KERNEL32 ref: 00400628
                                                                                                                                                            • IsWindow.USER32(?), ref: 003F7385
                                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003F7398
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to check global conditions, xrefs: 003F716A
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\user.cpp, xrefs: 003F7131
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressErrorFreeLastLibraryMessagePostProcWindow
                                                                                                                                                            • String ID: Failed to check global conditions$d:\a\wix4\wix4\src\burn\user\user.cpp
                                                                                                                                                            • API String ID: 1565363025-665746148
                                                                                                                                                            • Opcode ID: 5bb3333b7c03ff6f07d717cfd50e434ca7a3b93085f51db661f5892e4b419836
                                                                                                                                                            • Instruction ID: ead02a475b9ca97110180582a33a52bb74d56b4a212c36d645d9f214c5ae626f
                                                                                                                                                            • Opcode Fuzzy Hash: 5bb3333b7c03ff6f07d717cfd50e434ca7a3b93085f51db661f5892e4b419836
                                                                                                                                                            • Instruction Fuzzy Hash: 8FF06871600608BAEB137765DC4AFBEB668AF10705F100067BA05A44A2E774DB90EA95
                                                                                                                                                            Function 003F71A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004005D5: GetProcAddress.KERNEL32(00000000,BundleExtensionDestroy), ref: 00400603
                                                                                                                                                              • Part of subcall function 004005D5: FreeLibrary.KERNEL32(00000000), ref: 0040061E
                                                                                                                                                              • Part of subcall function 004005D5: GetLastError.KERNEL32 ref: 00400628
                                                                                                                                                            • IsWindow.USER32(?), ref: 003F7385
                                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003F7398
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to create the message window., xrefs: 003F71A8
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\user.cpp, xrefs: 003F7131
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressErrorFreeLastLibraryMessagePostProcWindow
                                                                                                                                                            • String ID: Failed to create the message window.$d:\a\wix4\wix4\src\burn\user\user.cpp
                                                                                                                                                            • API String ID: 1565363025-1122250624
                                                                                                                                                            • Opcode ID: 6c52bd656d5e00cf34e423e56c3bdfe99bd5a2640ee199eb239eab732b0be8d0
                                                                                                                                                            • Instruction ID: eb5d7bc1164cad267706dd3ccea4e4f61d5b950716b15f39dfddd07a29de76cc
                                                                                                                                                            • Opcode Fuzzy Hash: 6c52bd656d5e00cf34e423e56c3bdfe99bd5a2640ee199eb239eab732b0be8d0
                                                                                                                                                            • Instruction Fuzzy Hash: 6BF0C831300608BAEB137765DC4AFBEB668AF10701F200023BA01B40A1E774DA90EA94
                                                                                                                                                            Function 003F71CB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004005D5: GetProcAddress.KERNEL32(00000000,BundleExtensionDestroy), ref: 00400603
                                                                                                                                                              • Part of subcall function 004005D5: FreeLibrary.KERNEL32(00000000), ref: 0040061E
                                                                                                                                                              • Part of subcall function 004005D5: GetLastError.KERNEL32 ref: 00400628
                                                                                                                                                            • IsWindow.USER32(?), ref: 003F7385
                                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003F7398
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to query registration., xrefs: 003F71CB
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\user.cpp, xrefs: 003F7131
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressErrorFreeLastLibraryMessagePostProcWindow
                                                                                                                                                            • String ID: Failed to query registration.$d:\a\wix4\wix4\src\burn\user\user.cpp
                                                                                                                                                            • API String ID: 1565363025-1827799990
                                                                                                                                                            • Opcode ID: 3b6cee04198a8fa66e0f0b026b9cd618dc349e06ac0bd054330a2cacd2302c14
                                                                                                                                                            • Instruction ID: 606ebe5dd2403c84bf096b574daa0da2d7541289f7980e23d748cf17b6f07bcf
                                                                                                                                                            • Opcode Fuzzy Hash: 3b6cee04198a8fa66e0f0b026b9cd618dc349e06ac0bd054330a2cacd2302c14
                                                                                                                                                            • Instruction Fuzzy Hash: B4F0C831200608BAEB137765DC4AFBEB668AF10702F100023BA01A44A1E7B4CB90EA94
                                                                                                                                                            Function 003F711F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004005D5: GetProcAddress.KERNEL32(00000000,BundleExtensionDestroy), ref: 00400603
                                                                                                                                                              • Part of subcall function 004005D5: FreeLibrary.KERNEL32(00000000), ref: 0040061E
                                                                                                                                                              • Part of subcall function 004005D5: GetLastError.KERNEL32 ref: 00400628
                                                                                                                                                            • IsWindow.USER32(?), ref: 003F7385
                                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003F7398
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\user.cpp, xrefs: 003F7131
                                                                                                                                                            • Failed to open log., xrefs: 003F711F
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressErrorFreeLastLibraryMessagePostProcWindow
                                                                                                                                                            • String ID: Failed to open log.$d:\a\wix4\wix4\src\burn\user\user.cpp
                                                                                                                                                            • API String ID: 1565363025-1747915094
                                                                                                                                                            • Opcode ID: fe0fb9dc5a78ea965872b6c45e448ef11431c81e22071b2ab018fb3ecfcfdd82
                                                                                                                                                            • Instruction ID: 9f2b731362b5a034bab3e961f267952438e08be6d41377ccab819575d9c9908d
                                                                                                                                                            • Opcode Fuzzy Hash: fe0fb9dc5a78ea965872b6c45e448ef11431c81e22071b2ab018fb3ecfcfdd82
                                                                                                                                                            • Instruction Fuzzy Hash: BCF09C71640608BAE7137765DC4AFBEB778AF10705F100067BA05F44A1E7B4DB90EA54
                                                                                                                                                            Function 00439AE3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00439A94,00000000,?,0048CD30,?,?,?,00439C37,00000004,InitializeCriticalSectionEx,0047C2FC,InitializeCriticalSectionEx), ref: 00439AF0
                                                                                                                                                            • GetLastError.KERNEL32(?,00439A94,00000000,?,0048CD30,?,?,?,00439C37,00000004,InitializeCriticalSectionEx,0047C2FC,InitializeCriticalSectionEx,00000000,?,004399B0), ref: 00439AFA
                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00439B22
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                            • API String ID: 3177248105-2084034818
                                                                                                                                                            • Opcode ID: c28630b0b40b5f37b429dcb9280940d519a1f51025fdf0b8e74322d9624a6dd9
                                                                                                                                                            • Instruction ID: e4abebcae214a65834cbad45c639731330d59081470d4390b3c5f94e97093094
                                                                                                                                                            • Opcode Fuzzy Hash: c28630b0b40b5f37b429dcb9280940d519a1f51025fdf0b8e74322d9624a6dd9
                                                                                                                                                            • Instruction Fuzzy Hash: 3FE01A30680305BAEF281B62EC46B593A5CEB14B42F205071F94DA81E2E7A6EE10CA4D
                                                                                                                                                            Function 004465B5 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetConsoleOutputCP.KERNEL32(1490980C,00000000,00000000,?), ref: 00446618
                                                                                                                                                              • Part of subcall function 00441F7B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0044628B,?,00000000,-00000008), ref: 00441FDC
                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044686A
                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004468B0
                                                                                                                                                            • GetLastError.KERNEL32 ref: 00446953
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2112829910-0
                                                                                                                                                            • Opcode ID: e45ad183e1f72b68488f108e8de1863548d07de3c56fe5b2673982ca1c9ac424
                                                                                                                                                            • Instruction ID: eca2727e5037e563a930ae9f14d4b0346dcc9b0ad3c0924f4d64cfe21a0d78b6
                                                                                                                                                            • Opcode Fuzzy Hash: e45ad183e1f72b68488f108e8de1863548d07de3c56fe5b2673982ca1c9ac424
                                                                                                                                                            • Instruction Fuzzy Hash: 7BD1BBB5D00248DFEF04CFA8C8809ADBBB5FF0A314F29452AE426EB351D734A902CB15
                                                                                                                                                            Function 0043A01A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AdjustPointer
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1740715915-0
                                                                                                                                                            • Opcode ID: a3fed76ec2445f17384753ee788aab2b84d345d82325cb9fe3abb5adf03721a4
                                                                                                                                                            • Instruction ID: 8f970b958a631d24d7c969bf0b69046f4966f6bb4dcd5b22e6f441079d85f22d
                                                                                                                                                            • Opcode Fuzzy Hash: a3fed76ec2445f17384753ee788aab2b84d345d82325cb9fe3abb5adf03721a4
                                                                                                                                                            • Instruction Fuzzy Hash: 5C51D3726812069FDF288F55C841BABB7A5EF48314F24542FE88147391E739DC60CB9A
                                                                                                                                                            Function 003FC8CA Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 003FC932
                                                                                                                                                            • VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 003FC93A
                                                                                                                                                            • VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 003FC942
                                                                                                                                                            • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 003FC96F
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConditionMask$InfoVerifyVersion
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2793162063-0
                                                                                                                                                            • Opcode ID: cf8b7fcc9dd22b6b2d9eba5e9ceb793acc2db7c18f63a3b879c37c02e1e81abf
                                                                                                                                                            • Instruction ID: 949a74e4483da4a94dbf32ef47c85cf91ed374a444d8b8d6562a89e2cc2fb309
                                                                                                                                                            • Opcode Fuzzy Hash: cf8b7fcc9dd22b6b2d9eba5e9ceb793acc2db7c18f63a3b879c37c02e1e81abf
                                                                                                                                                            • Instruction Fuzzy Hash: D9111271D0032CAADB249F55DC06BDE7BB8EF08B04F00809AF519A6281D7B44780CFE4
                                                                                                                                                            Function 003FB4F2 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 41COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(7FFFFFFE,00000000,?,?,003F85B0,00000000,?,0040A80F,?,00000001,00000000,?,00000002,-00000001,00000008,?), ref: 003FB4FE
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(7FFFFFFE,7FFFFFFE,?,00000000,?,?,003F85B0,00000000,?,0040A80F,?,00000001,00000000,?,00000002,-00000001), ref: 003FB55D
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variable.cpp, xrefs: 003FB540
                                                                                                                                                            • Failed to get visibility of variable: %ls, xrefs: 003FB52E
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                            • String ID: Failed to get visibility of variable: %ls$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 3168844106-1405185440
                                                                                                                                                            • Opcode ID: dc06ea0f88e98bc4b7aa90293f15d3c996018de279b4f6f5e4881285f5695cc3
                                                                                                                                                            • Instruction ID: e9b6b879108f063b43f13854b651bef0d9d33844c2c32a1ee176613b8e819393
                                                                                                                                                            • Opcode Fuzzy Hash: dc06ea0f88e98bc4b7aa90293f15d3c996018de279b4f6f5e4881285f5695cc3
                                                                                                                                                            • Instruction Fuzzy Hash: FA018F71540218FFDB029F44CC06FADBB64EB05765F108050FA059B261D775EE109BA4
                                                                                                                                                            Function 003FEAF6 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 39COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CloseHandle.KERNEL32(00000001,003F7D5B,00000000,?,0041445E,?,003F7D93,003F7E23,00000000,003F7E23,BootstrapperApplicationData.xml,003F7D97,003F7E0B,?,003F7E23,003F80EB), ref: 003FEB3A
                                                                                                                                                              • Part of subcall function 0041ED3E: SetEvent.KERNEL32(?,003F7E23,00000001,00000000,?,003FEB0E,00000001,003F7D5B,00000000,?,0041445E,?,003F7D93,003F7E23,00000000,003F7E23), ref: 0041ED5B
                                                                                                                                                              • Part of subcall function 0041ED3E: GetLastError.KERNEL32(?,003FEB0E,00000001,003F7D5B,00000000,?,0041445E,?,003F7D93,003F7E23,00000000,003F7E23,BootstrapperApplicationData.xml,003F7D97,003F7E0B,?), ref: 0041ED65
                                                                                                                                                              • Part of subcall function 0041ED3E: CloseHandle.KERNEL32(?,00000001,00000000,?,003FEB0E,00000001,003F7D5B,00000000,?,0041445E,?,003F7D93,003F7E23,00000000,003F7E23,BootstrapperApplicationData.xml), ref: 0041EDE1
                                                                                                                                                              • Part of subcall function 0041ED3E: CloseHandle.KERNEL32(?,00000001,00000000,?,003FEB0E,00000001,003F7D5B,00000000,?,0041445E,?,003F7D93,003F7E23,00000000,003F7E23,BootstrapperApplicationData.xml), ref: 0041EDF4
                                                                                                                                                              • Part of subcall function 0041ED3E: CloseHandle.KERNEL32(?,00000001,00000000,?,003FEB0E,00000001,003F7D5B,00000000,?,0041445E,?,003F7D93,003F7E23,00000000,003F7E23,BootstrapperApplicationData.xml), ref: 0041EE07
                                                                                                                                                            Strings
                                                                                                                                                            • .#v@1#v, xrefs: 003FEB3A
                                                                                                                                                            • Failed to close cabinet., xrefs: 003FEB14
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\container.cpp, xrefs: 003FEB26
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandle$ErrorEventLast
                                                                                                                                                            • String ID: Failed to close cabinet.$d:\a\wix4\wix4\src\burn\user\container.cpp$.#v@1#v
                                                                                                                                                            • API String ID: 477349713-3885541803
                                                                                                                                                            • Opcode ID: 6bba5eb0af28baaba40763ba920c6a096629bc889311a923e4e2e4cf7d6eaf52
                                                                                                                                                            • Instruction ID: 6865f6b92f3d9409dde5886058fa8b65f71f76fd3531a7bab500c5cea870eb89
                                                                                                                                                            • Opcode Fuzzy Hash: 6bba5eb0af28baaba40763ba920c6a096629bc889311a923e4e2e4cf7d6eaf52
                                                                                                                                                            • Instruction Fuzzy Hash: 78F05032A4072A77D222161AEC07F6BFB588F21F31F110312FB14B61E0E7A19D1186E5
                                                                                                                                                            Function 00448CE7 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00447E50,00000000,00000001,?,?,?,004469A7,?,00000000,00000000), ref: 00448CFE
                                                                                                                                                            • GetLastError.KERNEL32(?,00447E50,00000000,00000001,?,?,?,004469A7,?,00000000,00000000,?,?,?,00446F4A,00000000), ref: 00448D0A
                                                                                                                                                              • Part of subcall function 00448CD0: CloseHandle.KERNEL32(FFFFFFFE,00448D1A,?,00447E50,00000000,00000001,?,?,?,004469A7,?,00000000,00000000,?,?), ref: 00448CE0
                                                                                                                                                            • ___initconout.LIBCMT ref: 00448D1A
                                                                                                                                                              • Part of subcall function 00448C91: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00448CC0,00447E3D,?,?,004469A7,?,00000000,00000000,?), ref: 00448CA4
                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00447E50,00000000,00000001,?,?,?,004469A7,?,00000000,00000000,?), ref: 00448D2F
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2744216297-0
                                                                                                                                                            • Opcode ID: 2c8fb2817e3d8e54a0068216d5356cf2468456c8230ebb16c7f1f07f419c1981
                                                                                                                                                            • Instruction ID: fc339cc279ac78fc477240b0d348f7bbb96494c63ee295e41140fc7e5d22573b
                                                                                                                                                            • Opcode Fuzzy Hash: 2c8fb2817e3d8e54a0068216d5356cf2468456c8230ebb16c7f1f07f419c1981
                                                                                                                                                            • Instruction Fuzzy Hash: D1F03736441514BBCF123F96EC4598E3F65FB053A1F00442AFE0895131DF35C920DBA8
                                                                                                                                                            Function 003F69E0 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 003F69E9
                                                                                                                                                            • SetEvent.KERNEL32(?,?,?,00000000), ref: 003F6A06
                                                                                                                                                            • GetLastError.KERNEL32 ref: 003F6A10
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 003F6A17
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterErrorEventLastLeave
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2851136515-0
                                                                                                                                                            • Opcode ID: d9b428ffdcafceeb16849961c71f29d862478ae17a133fd5a54fff7c4f5424b7
                                                                                                                                                            • Instruction ID: 68d1f1af369e1ecbd345233ca8d597122b1c55d63c08afaa656f2a4d90b067d7
                                                                                                                                                            • Opcode Fuzzy Hash: d9b428ffdcafceeb16849961c71f29d862478ae17a133fd5a54fff7c4f5424b7
                                                                                                                                                            • Instruction Fuzzy Hash: 7DE09236200619A7CB166FA7EC09E9E7BACEF89762F004071F705D2122DA31E6059BA4
                                                                                                                                                            Function 0043A616 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EncodePointer.KERNEL32(00000000,?), ref: 0043A63B
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: EncodePointer
                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                            • API String ID: 2118026453-2084237596
                                                                                                                                                            • Opcode ID: b8cb356fbe657a6ff5102f8648d7411298010364b1484ab50c8f20f8e1a34755
                                                                                                                                                            • Instruction ID: 642a5f611afbb92d26619c8c8eb009307bf1ea98fbe81f325a7719d9730261ef
                                                                                                                                                            • Opcode Fuzzy Hash: b8cb356fbe657a6ff5102f8648d7411298010364b1484ab50c8f20f8e1a34755
                                                                                                                                                            • Instruction Fuzzy Hash: 65416871900209AFCF15DF98CD82AEEBBB5BF48304F19905AF944A7221D339D960DB5A
                                                                                                                                                            Function 0041D8F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variant.cpp, xrefs: 0041D99A
                                                                                                                                                            • Failed to copy variant value., xrefs: 0041D988
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _memcpy_s
                                                                                                                                                            • String ID: Failed to copy variant value.$d:\a\wix4\wix4\src\burn\user\variant.cpp
                                                                                                                                                            • API String ID: 2001391462-3907457943
                                                                                                                                                            • Opcode ID: 3cccf653a1998441e55e8334886dda485dcfc41aee20bfc7c135e19c4b08c730
                                                                                                                                                            • Instruction ID: f9a04c235ac3a4cdc6e587ba5bdb49b2d088a1b8308633b06cb945d6b0305ce1
                                                                                                                                                            • Opcode Fuzzy Hash: 3cccf653a1998441e55e8334886dda485dcfc41aee20bfc7c135e19c4b08c730
                                                                                                                                                            • Instruction Fuzzy Hash: 8A2128F2D20219BAD721ADACCD85BFFF66CEB01700F140527F514A6240D27C9DC1C6AA
                                                                                                                                                            Function 004280DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,003F6DEA,00000000,003F7162,00000000,00000257,54B7FF10), ref: 00428132
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\mspuser.cpp, xrefs: 00428188
                                                                                                                                                            • Failed to add chained patch., xrefs: 00428176
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareString
                                                                                                                                                            • String ID: Failed to add chained patch.$d:\a\wix4\wix4\src\burn\user\mspuser.cpp
                                                                                                                                                            • API String ID: 1825529933-1868150798
                                                                                                                                                            • Opcode ID: 5f918055e336d8ed989d03acc6dc3af2a7cf175b106404ec5dbf3853fe9e54e8
                                                                                                                                                            • Instruction ID: 2a9c26abb9e9683260f2090bacc8b7d05120dc76642ba4322a7abd18ea2b7488
                                                                                                                                                            • Opcode Fuzzy Hash: 5f918055e336d8ed989d03acc6dc3af2a7cf175b106404ec5dbf3853fe9e54e8
                                                                                                                                                            • Instruction Fuzzy Hash: 11318F70B01229EFDB04CF58DC81AEEB7B5FF45314F60815AE914AB381C774A951CB95
                                                                                                                                                            Function 003F5600 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\memutil.cpp, xrefs: 003F5641
                                                                                                                                                            • Failed to resize array while inserting items, xrefs: 003F5632
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: Failed to resize array while inserting items$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\memutil.cpp
                                                                                                                                                            • API String ID: 0-1811546269
                                                                                                                                                            • Opcode ID: 2f80e154c35d663f456b818e273ca3f098155c82a02060027fabc1a95227b9c4
                                                                                                                                                            • Instruction ID: a617e10218703ded702db0b7fdf19f97ad6481a6b9f3454c2136b8f04ac02701
                                                                                                                                                            • Opcode Fuzzy Hash: 2f80e154c35d663f456b818e273ca3f098155c82a02060027fabc1a95227b9c4
                                                                                                                                                            • Instruction Fuzzy Hash: 8D21C571B0061DAFCF08DE58CD86EBFBB69EF94750F514026EA15AB341E270E9008AE0
                                                                                                                                                            Function 004571E2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 0044CBC2: RegOpenKeyExW.KERNELBASE(?,0044CBBE,00000000,00000000,00000003,00000000,?,?,00456603,80000002,00000000,00020019,00000000,00000000,SOFTWARE\Policies\,00000000), ref: 0044CBED
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,003F6E9A,?,00020019,?,00000000,00000000,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,?,?), ref: 0045728C
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to open uninstall key for potential related bundle: %ls, xrefs: 0045721F
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp, xrefs: 0045722E
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseOpen
                                                                                                                                                            • String ID: Failed to open uninstall key for potential related bundle: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp
                                                                                                                                                            • API String ID: 47109696-3466351475
                                                                                                                                                            • Opcode ID: 02d57aba907a9fa0b31afb812cc10ba7f4271095b3051754a12d70a9e49b535b
                                                                                                                                                            • Instruction ID: 37644dd757b72bcac7ab3f4723c1b21e969490e9b0bf8c10b73248bb4d6766ed
                                                                                                                                                            • Opcode Fuzzy Hash: 02d57aba907a9fa0b31afb812cc10ba7f4271095b3051754a12d70a9e49b535b
                                                                                                                                                            • Instruction Fuzzy Hash: 2921BE35A00218FFDB01DFA8D841E9EBBF9EF48311F10446AFA15E3252D374AE048B51
                                                                                                                                                            Function 0044C51F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCreateKeyExW.ADVAPI32(?,?,0044C4F6,00020006,?,?,00000000,00000000,00000000,00407B5F,00000000,00000000,?,00407B5F,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce), ref: 0044C55C
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Create
                                                                                                                                                            • String ID: Failed to create registry key.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 2289755597-627842214
                                                                                                                                                            • Opcode ID: 0eff06b1832515bacd04e35172d433e357b6deba569900edfcc2bb997927912d
                                                                                                                                                            • Instruction ID: c972860052090a2b5f96b3e6ee052947bd299a50076a8dc4ec3eb810e8099af1
                                                                                                                                                            • Opcode Fuzzy Hash: 0eff06b1832515bacd04e35172d433e357b6deba569900edfcc2bb997927912d
                                                                                                                                                            • Instruction Fuzzy Hash: A2112576601229FBEB109E129D49EAF3EADDBC5750F09002AFE04D7250EA39DD11C778
                                                                                                                                                            Function 004583E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004539DD: SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0040CE21,?,00000000,00000000,00000000,00000000), ref: 004539F5
                                                                                                                                                              • Part of subcall function 004539DD: GetLastError.KERNEL32(?,?,?,0040CE21,?,00000000,00000000,00000000,00000000), ref: 004539FF
                                                                                                                                                            • WriteFile.KERNEL32(000000FF,00000008,00000008,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,?,?,0045850C), ref: 00458447
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to seek to start point in file., xrefs: 00458416
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp, xrefs: 00458425
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: File$ErrorLastPointerWrite
                                                                                                                                                            • String ID: Failed to seek to start point in file.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                            • API String ID: 972348794-4104125422
                                                                                                                                                            • Opcode ID: cf9753fd12a9d648888d2ea2584035dd02e1ba9fc5eddbe457437e6d30b33f7d
                                                                                                                                                            • Instruction ID: 0783df41006f380577433bf1bf07f90a0c6428945fc731f072b84f35678a9469
                                                                                                                                                            • Opcode Fuzzy Hash: cf9753fd12a9d648888d2ea2584035dd02e1ba9fc5eddbe457437e6d30b33f7d
                                                                                                                                                            • Instruction Fuzzy Hash: A8012B71600309BBE7148B58DC46FAEB36CEB01765F10462FFD00E6181EBB4EE54C6A4
                                                                                                                                                            Function 0044C83F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,0044D6D1,00000000,003F6EDE,00000000,00000000,00000000,00000000,00020019,00000000,00000000,00000000,?,?,?,0040713E), ref: 0044C860
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: QueryValue
                                                                                                                                                            • String ID: Failed to read registry value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 3660427363-2776790363
                                                                                                                                                            • Opcode ID: 3970124929fb1adcc6aa9cbf4ac68087adbf853705e6cfeb0e089084aa86ad65
                                                                                                                                                            • Instruction ID: e98e25754afb01a6a73cc5d7476394261766b249238d770ec3251e3fbc90b606
                                                                                                                                                            • Opcode Fuzzy Hash: 3970124929fb1adcc6aa9cbf4ac68087adbf853705e6cfeb0e089084aa86ad65
                                                                                                                                                            • Instruction Fuzzy Hash: B101F232A4151973F72129565C49F7F6A9ECBC5BA1F19403BBA08DB350E968CC0283F8
                                                                                                                                                            Function 0044CC5E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegQueryInfoKeyW.ADVAPI32(?,004071DB,003F6DEA,003F7162,003F6EDE,80000002,SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations,00020019,00000000,003F6DEA,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations2,00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager), ref: 0044CC85
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 0044CCAA, 0044CCB0, 0044CCC1
                                                                                                                                                            • Failed to get the number of subkeys and values under registry key., xrefs: 0044CCB6
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InfoQuery
                                                                                                                                                            • String ID: Failed to get the number of subkeys and values under registry key.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 1673771737-4053068048
                                                                                                                                                            • Opcode ID: 1edd36921851dea6fa0d02b124ab7d0b61829cb2ce44f854b1c782c38f1aa0fc
                                                                                                                                                            • Instruction ID: e68e11e3b9ff59b4857bc8fa312a6d97b47c7718022e578bc1534514e4a044f4
                                                                                                                                                            • Opcode Fuzzy Hash: 1edd36921851dea6fa0d02b124ab7d0b61829cb2ce44f854b1c782c38f1aa0fc
                                                                                                                                                            • Instruction Fuzzy Hash: B2F0AF7620119976E62129579C8DF9F6F6DDBC6F60F0A042ABE089B250E5698C02C6B8
                                                                                                                                                            Function 0044D719 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegSetValueExW.ADVAPI32(?,00408FA9,?,00000000,?,?,?,?), ref: 0044D738
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value
                                                                                                                                                            • String ID: Failed to set %ls value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                            • API String ID: 3702945584-457337809
                                                                                                                                                            • Opcode ID: 489ce05f7b7968794ec4ec44c1884d235c9122569901b0449d867517d38050ef
                                                                                                                                                            • Instruction ID: 673be955fcf80d05495dea73aa6953983621f2309c02536ce257940350129611
                                                                                                                                                            • Opcode Fuzzy Hash: 489ce05f7b7968794ec4ec44c1884d235c9122569901b0449d867517d38050ef
                                                                                                                                                            • Instruction Fuzzy Hash: 19F0C23A60026877F72129175C09E5F6A6DDBC6BA0F15402ABE149B250E6798C0196B8
                                                                                                                                                            Function 003F9960 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetNativeSystemInfo.KERNEL32(?), ref: 003F997C
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\variable.cpp, xrefs: 003F99C0
                                                                                                                                                            • Failed to set variant value., xrefs: 003F99AE
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InfoNativeSystem
                                                                                                                                                            • String ID: Failed to set variant value.$d:\a\wix4\wix4\src\burn\user\variable.cpp
                                                                                                                                                            • API String ID: 1721193555-2731189036
                                                                                                                                                            • Opcode ID: 71fe32d762b351852508716f4d8903576f6899464eb2d55971e8bde8d59f025c
                                                                                                                                                            • Instruction ID: a3b74bbdcd799db4745bbeeebb8759fd24c1ac0da573052336dafc9a4e1c232e
                                                                                                                                                            • Opcode Fuzzy Hash: 71fe32d762b351852508716f4d8903576f6899464eb2d55971e8bde8d59f025c
                                                                                                                                                            • Instruction Fuzzy Hash: F6F08BB1D4061C7ADF11DA99DC09FDEB7B9AB44754F104426F605FA190F3B49904C791
                                                                                                                                                            Function 0041D2EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 003F2B25: FormatMessageW.KERNEL32(-000011F7,00000008,?,00000000,00000000,00000000,00000000,80070656,?,?,?,0041D303,00000000,00000008,00000000,80070656), ref: 003F2B56
                                                                                                                                                              • Part of subcall function 003F2B25: GetLastError.KERNEL32(?,?,?,0041D303,00000000,00000008,00000000,80070656,?,?,0040A7BB,00000001,00000000,80070656,00000000,?), ref: 003F2B63
                                                                                                                                                              • Part of subcall function 003F2B25: LocalFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0041D303,00000000,00000008,00000000,80070656,?,?,0040A7BB,00000001), ref: 003F2BE7
                                                                                                                                                            • MessageBoxW.USER32(00000000,00000000,?,00001010), ref: 0041D349
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\splashscreen.cpp, xrefs: 0041D31B
                                                                                                                                                            • Failed to allocate string to display error message, xrefs: 0041D30C
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message$ErrorFormatFreeLastLocal
                                                                                                                                                            • String ID: Failed to allocate string to display error message$d:\a\wix4\wix4\src\burn\user\splashscreen.cpp
                                                                                                                                                            • API String ID: 2195691534-719764090
                                                                                                                                                            • Opcode ID: d185bf56c00f9a1856c8e857f69dfe63d6137b9329d9d779af9d88aac81f96b8
                                                                                                                                                            • Instruction ID: b44d818c94eb001ae969427211e594ad1ac87d1932d69ac6368a3163b73cee86
                                                                                                                                                            • Opcode Fuzzy Hash: d185bf56c00f9a1856c8e857f69dfe63d6137b9329d9d779af9d88aac81f96b8
                                                                                                                                                            • Instruction Fuzzy Hash: E601D672D4031CF7DF269F818D0AFDE7B64EB00741F248112FE0869190D2B89B94D79A
                                                                                                                                                            Function 003F79D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41stringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • lstrlenW.KERNEL32(burn.clean.room,?,?,?,003F1144,?,?,00000000), ref: 003F79EF
                                                                                                                                                            • CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,003F1144,?,?,00000000), ref: 003F7A1F
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CompareStringlstrlen
                                                                                                                                                            • String ID: burn.clean.room
                                                                                                                                                            • API String ID: 1433953587-3055529264
                                                                                                                                                            • Opcode ID: d522cd9fb95258fcb9a7fcfcc25da817efa3222d1bbd7f17c8535f51fd757e3d
                                                                                                                                                            • Instruction ID: db92702c1fefc12a2f8641ba4c8c0ae4334c1195f5a03c2b81f7b593112c1d2c
                                                                                                                                                            • Opcode Fuzzy Hash: d522cd9fb95258fcb9a7fcfcc25da817efa3222d1bbd7f17c8535f51fd757e3d
                                                                                                                                                            • Instruction Fuzzy Hash: F9F0F6717042246BCB254B66AC88C7FFB6CDB56751712443AFA01C3320E2709D41EBB4
                                                                                                                                                            Function 00450371 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004500B5: SysAllocString.OLEAUT32(00000000), ref: 004500C9
                                                                                                                                                              • Part of subcall function 004500B5: VariantInit.OLEAUT32(?), ref: 004500D5
                                                                                                                                                              • Part of subcall function 004500B5: VariantClear.OLEAUT32(?), ref: 004501C4
                                                                                                                                                              • Part of subcall function 004500B5: SysFreeString.OLEAUT32(00000000), ref: 004501CF
                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 004503CD
                                                                                                                                                            Strings
                                                                                                                                                            • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 0045039E
                                                                                                                                                            • Failed to get value from attribute., xrefs: 0045038F
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: String$FreeVariant$AllocClearInit
                                                                                                                                                            • String ID: Failed to get value from attribute.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp
                                                                                                                                                            • API String ID: 3379191133-973041108
                                                                                                                                                            • Opcode ID: 1aa399e82983eba3e167c4b2f26cabf04cbf17768573987ddc1645978e16be05
                                                                                                                                                            • Instruction ID: 83756acadb015622bc49afae226b0113aeb4081b530ef3799970abb83701ced8
                                                                                                                                                            • Opcode Fuzzy Hash: 1aa399e82983eba3e167c4b2f26cabf04cbf17768573987ddc1645978e16be05
                                                                                                                                                            • Instruction Fuzzy Hash: 71F0A431641318BBDB119F40DC06F9E7A65AF00B56F104452FD00A91D2D6798F24DB99
                                                                                                                                                            Function 00409158 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,003F6DA2,00000002,00000001,00000000,00000000,?,?,?,?,?,?,00412F8D,003F6DA2,00000001,00000001), ref: 0040997D
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to write %ls value., xrefs: 00409159
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\registration.cpp, xrefs: 004090F5
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Failed to write %ls value.$d:\a\wix4\wix4\src\burn\user\registration.cpp
                                                                                                                                                            • API String ID: 3535843008-2586049171
                                                                                                                                                            • Opcode ID: 0a1510487c9561c214c3e06021ff57318a05bb4c939f6cf97599312a5c64ad41
                                                                                                                                                            • Instruction ID: f7ff7291bd9d73b4ad1cdddb3e331623d21f1eb51211e8dcf266e4e9b7cb5501
                                                                                                                                                            • Opcode Fuzzy Hash: 0a1510487c9561c214c3e06021ff57318a05bb4c939f6cf97599312a5c64ad41
                                                                                                                                                            • Instruction Fuzzy Hash: BEE0E530B04308A6DB216A51DC4BFBFB6209B44709F10012BF201702D289B84A50C95A
                                                                                                                                                            Function 00409187 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,003F6DA2,00000002,00000001,00000000,00000000,?,?,?,?,?,?,00412F8D,003F6DA2,00000001,00000001), ref: 0040997D
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to write %ls value., xrefs: 00409188
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\registration.cpp, xrefs: 004090F5
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Failed to write %ls value.$d:\a\wix4\wix4\src\burn\user\registration.cpp
                                                                                                                                                            • API String ID: 3535843008-2586049171
                                                                                                                                                            • Opcode ID: ab518f53df679a09f1d61d978f582cc4a5de00945aa1dba6528be950a3956e01
                                                                                                                                                            • Instruction ID: 5bd5124487dcfe28ac412ef43baccb89dd952e7b9a6c5573f1e209d4ec51d8cf
                                                                                                                                                            • Opcode Fuzzy Hash: ab518f53df679a09f1d61d978f582cc4a5de00945aa1dba6528be950a3956e01
                                                                                                                                                            • Instruction Fuzzy Hash: 22E09B30B44309B6DB256A55DC4BFBFB7709B4470DF10413BF201742D2D9BC4A51DA56
                                                                                                                                                            Function 004091B9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,003F6DA2,00000002,00000001,00000000,00000000,?,?,?,?,?,?,00412F8D,003F6DA2,00000001,00000001), ref: 0040997D
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to write %ls value., xrefs: 004091BA
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\registration.cpp, xrefs: 004090F5
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Failed to write %ls value.$d:\a\wix4\wix4\src\burn\user\registration.cpp
                                                                                                                                                            • API String ID: 3535843008-2586049171
                                                                                                                                                            • Opcode ID: 2ff66667fe017573283e9367b1c34a91a913f674a5784d06409dddf204cead1e
                                                                                                                                                            • Instruction ID: a121b3ba2d13a2157918f63d18ef1772d65396236ab6dfa7e641b030a0021b5b
                                                                                                                                                            • Opcode Fuzzy Hash: 2ff66667fe017573283e9367b1c34a91a913f674a5784d06409dddf204cead1e
                                                                                                                                                            • Instruction Fuzzy Hash: FBE09B30B44309B6DB256A55DC4BFBFBB709B4470DF10413BF201742D2D9BD4A51DA5A
                                                                                                                                                            Function 004093EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,003F6DA2,00000002,00000001,00000000,00000000,?,?,?,?,?,?,00412F8D,003F6DA2,00000001,00000001), ref: 0040997D
                                                                                                                                                            Strings
                                                                                                                                                            • Failed to update name and publisher., xrefs: 004093EF
                                                                                                                                                            • d:\a\wix4\wix4\src\burn\user\registration.cpp, xrefs: 00409959
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2545256755.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
                                                                                                                                                            • Associated: 00000000.00000002.2545211358.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545350198.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545433041.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000000.00000002.2545464519.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_3f0000_nkCBRtd25H.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Close
                                                                                                                                                            • String ID: Failed to update name and publisher.$d:\a\wix4\wix4\src\burn\user\registration.cpp
                                                                                                                                                            • API String ID: 3535843008-1652864479
                                                                                                                                                            • Opcode ID: 4be49c644a4bd84d5a2a72d1a408f7131f8a93ee6142813f16bc9e4051a66834
                                                                                                                                                            • Instruction ID: 0dd312e5c6ae72d86190150178532b2af6ab99245339e8c6dddece0dcef243bf
                                                                                                                                                            • Opcode Fuzzy Hash: 4be49c644a4bd84d5a2a72d1a408f7131f8a93ee6142813f16bc9e4051a66834
                                                                                                                                                            • Instruction Fuzzy Hash: 99E09230B40309A7DB15AA55EC0BFBFBB609B4070EF10012BF302B42D2DABC4950CA86