Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EtEskr.exe

Overview

General Information

Sample name:EtEskr.exe
Analysis ID:1524996
MD5:891a35ef9a4c3b463013b62f888b3927
SHA1:c1482dc6f5db6149374fccdf4fcdae76f9b362f2
SHA256:7f817123a5f3a6a0405f42f93c0213f5014043b42cb46b34430eeffe1a340e8c
Infos:

Detection

Babadeda
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (overwrites its own PE header)
Yara detected Babadeda
Bypasses PowerShell execution policy
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • EtEskr.exe (PID: 6244 cmdline: "C:\Users\user\Desktop\EtEskr.exe" MD5: 891A35EF9A4C3B463013B62F888B3927)
    • cmd.exe (PID: 3896 cmdline: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp\4C82.bat C:\Users\user\Desktop\EtEskr.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • dotnet-runtime-8.0.8-win-x64.exe (PID: 2228 cmdline: dotnet-runtime-8.0.8-win-x64.exe /q MD5: 6078CD9F0B46862256D9C8B3BB4F86EF)
        • dotnet-runtime-8.0.8-win-x64.exe (PID: 7076 cmdline: "C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=664 -burn.filehandle.self=692 /q MD5: C0CBF8F15105720847041131C8C45598)
          • dotnet-runtime-8.0.8-win-x64.exe (PID: 2280 cmdline: "C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA8E} {A5C335EB-CE59-4F47-9169-F2843E8F963C} 7076 MD5: C0CBF8F15105720847041131C8C45598)
      • EtEskrivare.exe (PID: 5784 cmdline: EtEskrivare.exe MD5: 43D024998EC3E5791995017E6550DD9C)
        • conhost.exe (PID: 4700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 6732 cmdline: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT " MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • msiexec.exe (PID: 2984 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2012 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B9E5D64A3023B24E1C83A523BE5C5639 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 5856 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3909D66778F6C5107F8B15D5ECB299A6 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 2296 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B854354A711E3251713D5F3210D22CCB MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • dotnet-runtime-8.0.8-win-x64.exe (PID: 4140 cmdline: "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" /burn.runonce MD5: C0CBF8F15105720847041131C8C45598)
    • dotnet-runtime-8.0.8-win-x64.exe (PID: 4380 cmdline: "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550.log" MD5: C0CBF8F15105720847041131C8C45598)
      • dotnet-runtime-8.0.8-win-x64.exe (PID: 6500 cmdline: "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550.log" MD5: C0CBF8F15105720847041131C8C45598)
        • dotnet-runtime-8.0.8-win-x64.exe (PID: 5628 cmdline: "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{90908595-DBF2-48E3-B425-27B7CE5D8A50} {A89BB288-DC86-46DD-9CDA-AF6EDBCB231B} 6500 MD5: C0CBF8F15105720847041131C8C45598)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BabadedaAccording to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
EtEskr.exeJoeSecurity_BabadedaYara detected BabadedaJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\netstandard.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

          Sigma Signatures

          Sigma detected: Change PowerShell Policies to an Insecure Level
          Source: Process startedAuthor: frack113: Data: Command: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT ", CommandLine: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: EtEskrivare.exe, ParentImage: C:\Users\user\AppData\Roaming\EtEskrivare.exe, ParentProcessId: 5784, ParentProcessName: EtEskrivare.exe, ProcessCommandLine: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT ", ProcessId: 6732, ProcessName: powershell.exe
          Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" /burn.runonce, EventID: 13, EventType: SetValue, Image: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe, ProcessId: 2280, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d42cea76-6b02-403c-8fa9-b35c717db802}
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT ", CommandLine: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: EtEskrivare.exe, ParentImage: C:\Users\user\AppData\Roaming\EtEskrivare.exe, ParentProcessId: 5784, ParentProcessName: EtEskrivare.exe, ProcessCommandLine: "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT ", ProcessId: 6732, ProcessName: powershell.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: EtEskr.exeAvira: detected
          Machine Learning detection for sample
          Source: EtEskr.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AABD11 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,DecryptFileW,LocalFree,4_2_00AABD11
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AABAF6 DecryptFileW,DecryptFileW,4_2_00AABAF6
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AD4C0F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,4_2_00AD4C0F
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003ABD11 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,DecryptFileW,LocalFree,5_2_003ABD11
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003ABAF6 DecryptFileW,DecryptFileW,5_2_003ABAF6
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003D4C0F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,5_2_003D4C0F
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D5BAF6 DecryptFileW,DecryptFileW,6_2_00D5BAF6
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D84C0F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,6_2_00D84C0F
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D5BD11 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,DecryptFileW,LocalFree,6_2_00D5BD11
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D7BAF6 DecryptFileW,DecryptFileW,9_2_00D7BAF6
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00DA4C0F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,9_2_00DA4C0F
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D7BD11 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,DecryptFileW,LocalFree,9_2_00D7BD11

          Compliance

          barindex
          Detected unpacking (overwrites its own PE header)
          Source: C:\Users\user\Desktop\EtEskr.exeUnpacked PE file: 0.2.EtEskr.exe.400000.0.unpack
          Source: EtEskr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeDirectory created: C:\Program Files\dotnetJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeDirectory created: C:\Program Files\dotnet\swidtagJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeDirectory created: C:\Program Files\dotnet\swidtag\Microsoft .NET Runtime - 8.0.8 (x64).swidtagJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\sharedJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.AppJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8Jump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceProcess.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Channels.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.ThreadPool.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Algorithms.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Claims.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Annotations.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.AccessControl.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.EventBasedAsync.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrgc.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ValueTuple.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Formatters.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore_amd64_amd64_8.0.824.36612.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Uri.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.Lightweight.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.JavaScript.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.DataAnnotations.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Specialized.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Mail.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordbi.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.FileSystem.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Console.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.SecureString.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Requests.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.DataSetExtensions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.RegularExpressions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Parallel.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorlib.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Reader.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.DataContractSerialization.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.OpenSsl.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.XDocument.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Extensions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Intrinsics.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebProxy.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.StackTrace.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encodings.Web.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.Common.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Numerics.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Thread.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\.versionJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Metadata.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.Windows.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.ReaderWriter.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Core.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Linq.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.Linq.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Configuration.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.Core.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.VisualC.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\netstandard.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XDocument.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.NETCore.App.runtimeconfig.jsonJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Tar.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.CoreLib.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.ILGeneration.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.NETCore.App.deps.jsonJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.CodePages.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Encoding.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.FileVersionInfo.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.ZipFile.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.AccessControl.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.Vectors.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.Local.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Xml.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.DispatchProxy.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Writer.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.AppContext.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Expressions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.Extensions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Registry.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlSerializer.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceModel.Web.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Parallel.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Security.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Brotli.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Serialization.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Calendars.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Process.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NetworkInformation.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.DiaSymReader.Native.amd64.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\coreclr.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Buffers.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NameResolution.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Asn1.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.Json.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Immutable.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Queryable.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Ping.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.HttpListener.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Watcher.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.MemoryMappedFiles.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Quic.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Json.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Memory.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Extensions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.AccessControl.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Timer.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Debug.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.ResourceManager.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TraceSource.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.UnmanagedMemoryStream.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.CSharp.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\WindowsBase.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Concurrent.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Windows.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.TypeExtensions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebClient.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Contracts.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Extensions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Loader.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.Client.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebHeaderCollection.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Sockets.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.NonGeneric.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clretwrc.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.ServicePoint.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tracing.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Handles.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Extensions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.DriveInfo.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Overlapped.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ObjectModel.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.X509Certificates.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.TypeConverter.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlDocument.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\createdump.exeJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Cng.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Dynamic.Runtime.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.IsolatedStorage.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\msquic.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Native.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\hostpolicy.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.DiagnosticSource.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.HttpUtility.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tools.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Csp.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorrc.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Json.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Dataflow.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrjit.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\hostJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxrJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\8.0.8Jump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\8.0.8\hostfxr.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\dotnet.exeJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\ThirdPartyNotices.txtJump to behavior
          Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA}Jump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeFile created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\eula.rtfJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeFile created: C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\eula.rtf
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: System.Threading.Thread.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Globalization.Calendars/Release/net8.0-windows/System.Globalization.Calendars.pdbSHA256y source: System.Globalization.Calendars.dll.7.dr
          Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB4yU: source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ComponentModel.ni.pdb source: System.ComponentModel.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256UR= source: System.Threading.Thread.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlSerializer\Release\net8.0\System.Xml.XmlSerializer.pdb source: System.Xml.XmlSerializer.dll.7.dr
          Source: Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: System.IO.FileSystem.DriveInfo.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\hostpolicy\standalone\hostpolicy.pdb|||GCTL source: EtEskrivare.exe, 0000000F.00000002.1816730458.00007FF8F85C5000.00000002.00000001.01000000.00000012.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdb source: System.Reflection.Emit.Lightweight.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net8.0\System.Diagnostics.Contracts.pdbSHA256 source: System.Diagnostics.Contracts.dll.7.dr
          Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdbSHA256 source: netstandard.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: System.Security.Cryptography.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: EtEskrivare.exe, 0000000F.00000002.1809798300.000001E915FD2000.00000002.00000001.01000000.00000021.sdmp
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsG source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621532910.00000000005A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initializecriptions8}\.be\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROW\REGISTRY\\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_InitializeATH=\Users\t source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618442951.0000000000246000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\Release\net8.0\System.Runtime.Serialization.Json.pdb source: System.Runtime.Serialization.Json.dll.7.dr
          Source: Binary string: System.Net.Security.ni.pdb source: System.Net.Security.dll.7.dr
          Source: Binary string: /_/artifacts/obj/mscorlib/Release/net8.0-windows/mscorlib.pdbSHA256 source: mscorlib.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscoree\coreclr\coreclr.pdb source: EtEskrivare.exe, 0000000F.00000002.1814506995.00007FF8E656F000.00000002.00000001.01000000.00000013.sdmp, coreclr.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: System.Collections.NonGeneric.dll.7.dr
          Source: Binary string: System.Net.Http.Json.ni.pdb source: System.Net.Http.Json.dll.7.dr
          Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drive\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_InitializeTRING=Defaul" source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621532910.00000000005A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Formats.Tar.ni.pdb source: System.Formats.Tar.dll.7.dr
          Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBZ source: powershell.exe, 00000011.00000002.1774953336.00000133B4F50000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: System.Net.Primitives.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdb source: System.Dynamic.Runtime.dll.7.dr
          Source: Binary string: System.Collections.Specialized.ni.pdb source: System.Collections.Specialized.dll.7.dr
          Source: Binary string: fuDLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86// source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdb source: System.Reflection.Extensions.dll.7.dr
          Source: Binary string: ~ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815663224.00007FF8F0D01000.00000020.00000001.01000000.0000001A.sdmp
          Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA8E} {A5C335EB-CE59-4F47-9169-F2843E8F963C} 7076C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows>yT1 source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdbSHA256 source: System.Diagnostics.Tools.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Resources.Reader/Release/net8.0-windows/System.Resources.Reader.pdb source: System.Resources.Reader.dll.7.dr
          Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\WixDepCA.pdb source: 475f70.msi.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Requests\Release\net8.0-windows\System.Net.Requests.pdbSHA256@ source: System.Net.Requests.dll.7.dr
          Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBs source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618799073.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618160355.00000000004EF000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp
          Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB?yT0 source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel\Release\net8.0\System.ComponentModel.pdb source: System.ComponentModel.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdbSHA256 source: System.Net.ServicePoint.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdbSHA256 source: EtEskrivare.exe, 0000000F.00000002.1809939574.000001E9160F2000.00000002.00000001.01000000.00000022.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdbSHA256 source: System.Reflection.Emit.Lightweight.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\fxr\standalone\hostfxr.pdb source: EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.dr
          Source: Binary string: System.Threading.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815663224.00007FF8F0D01000.00000020.00000001.01000000.0000001A.sdmp
          Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdbSHA256T/ source: System.Dynamic.Runtime.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Requests\Release\net8.0-windows\System.Net.Requests.pdb source: System.Net.Requests.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815219735.00007FF8E8551000.00000020.00000001.01000000.0000001B.sdmp
          Source: Binary string: System.Net.ServicePoint.ni.pdb source: System.Net.ServicePoint.dll.7.dr
          Source: Binary string: System.Threading.Channels.ni.pdb source: System.Threading.Channels.dll.7.dr
          Source: Binary string: C:\Users\revse\source\repos\EtEskrivare\EtEskrivare\obj\Debug\net8.0\EtEskrivare.pdbSHA256 source: EtEskrivare.exe, 0000000F.00000002.1809730222.000001E915FC2000.00000002.00000001.01000000.00000020.sdmp
          Source: Binary string: /_/artifacts/obj/System.ValueTuple/Release/net8.0-windows/System.ValueTuple.pdb source: System.ValueTuple.dll.7.dr
          Source: Binary string: System.Drawing.Primitives.ni.pdb source: System.Drawing.Primitives.dll.7.dr
          Source: Binary string: System.Net.NetworkInformation.ni.pdb source: System.Net.NetworkInformation.dll.7.dr
          Source: Binary string: System.Reflection.Emit.ni.pdb source: System.Reflection.Emit.dll.7.dr
          Source: Binary string: ming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell6{\3 source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616512485.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617142082.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Net.WebProxy.ni.pdb source: System.Net.WebProxy.dll.7.dr
          Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows] source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816850376.00007FF8F8BB1000.00000020.00000001.01000000.00000017.sdmp, System.ComponentModel.Primitives.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: System.Net.NetworkInformation.dll.7.dr
          Source: Binary string: Microsoft.VisualBasic.Core.ni.pdb source: Microsoft.VisualBasic.Core.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Formats.Tar\Release\net8.0-windows\System.Formats.Tar.pdb source: System.Formats.Tar.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdb source: System.Configuration.dll.7.dr
          Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsp source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617377212.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Text.Encoding/Release/net8.0-windows/System.Text.Encoding.pdb source: System.Text.Encoding.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlSerializer\Release\net8.0\System.Xml.XmlSerializer.pdbSHA256 source: System.Xml.XmlSerializer.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: System.Net.Security.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdbSHA256 source: System.IO.Pipes.AccessControl.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdb source: System.Threading.Timer.dll.7.dr
          Source: Binary string: C:\Users\user\AppData\Roaming\ETESKR~1.PDB source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ~:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppD source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows2zT> source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816088461.00007FF8F8371000.00000020.00000001.01000000.00000016.sdmp
          Source: Binary string: C:\__w\1\s\artifacts\bin\windows\x64_Release_schannel\msquic.pdb source: msquic.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdb source: System.Diagnostics.Debug.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb source: mscorrc.dll.7.dr
          Source: Binary string: System.Memory.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815410566.00007FF8E8571000.00000020.00000001.01000000.00000019.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: EtEskrivare.exe, 0000000F.00000002.1809939574.000001E9160F2000.00000002.00000001.01000000.00000022.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: System.Net.Security.dll.7.dr
          Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows4 source: powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: le4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(& source: EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146FC000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebProxy\Release\net8.0\System.Net.WebProxy.pdb source: System.Net.WebProxy.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets.Client\Release\net8.0\System.Net.WebSockets.Client.pdb source: System.Net.WebSockets.Client.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http.Json\Release\net8.0\System.Net.Http.Json.pdb source: System.Net.Http.Json.dll.7.dr
          Source: Binary string: System.Runtime.InteropServices.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815219735.00007FF8E8551000.00000020.00000001.01000000.0000001B.sdmp
          Source: Binary string: /_/artifacts/obj/System.IO.Compression.FileSystem/Release/net8.0-windows/System.IO.Compression.FileSystem.pdbSHA256 source: System.IO.Compression.FileSystem.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\fxr\standalone\hostfxr.pdbxxxGCTL source: EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdbSHA256l8 source: System.Configuration.dll.7.dr
          Source: Binary string: System.Net.WebSockets.ni.pdb source: System.Net.WebSockets.dll.7.dr
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: powershell.exe, 00000011.00000002.1799843422.00000133CEECF000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616512485.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617142082.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Console.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815869712.00007FF8F82D1000.00000020.00000001.01000000.00000018.sdmp, System.Console.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: EtEskrivare.exe, 0000000F.00000002.1809798300.000001E915FD2000.00000002.00000001.01000000.00000021.sdmp
          Source: Binary string: System.IO.FileSystem.AccessControl.ni.pdb source: System.IO.FileSystem.AccessControl.dll.7.dr
          Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1622037561.00000000025A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619628146.0000000002780000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618799073.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618160355.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617377212.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146F6000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1810043122.000001E916114000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1799843422.00000133CEE90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775778757.00000133B6AC3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1774953336.00000133B4F50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775529567.00000133B5140000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbmmmGCTL source: EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp
          Source: Binary string: \Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617377212.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdb source: System.Net.ServicePoint.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdb source: System.Drawing.Primitives.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: System.Security.Principal.Windows.dll.7.dr
          Source: Binary string: C:\Users\revse\source\repos\EtEskrivare\EtEskrivare\obj\Debug\net8.0\EtEskrivare.pdb source: EtEskrivare.exe, 0000000F.00000002.1809730222.000001E915FC2000.00000002.00000001.01000000.00000020.sdmp
          Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/Release/net8.0-windows/System.Security.Cryptography.Cng.pdbSHA256& source: System.Security.Cryptography.Cng.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebProxy\Release\net8.0\System.Net.WebProxy.pdbSHA256 source: System.Net.WebProxy.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Resources.Reader/Release/net8.0-windows/System.Resources.Reader.pdbSHA256 source: System.Resources.Reader.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdb source: System.IO.Pipes.AccessControl.dll.7.dr
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsb{ source: powershell.exe, 00000011.00000002.1799843422.00000133CEF3A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: System.Runtime.InteropServices.RuntimeInformation.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\Release\net8.0\System.Runtime.Serialization.Json.pdbSHA256PT# source: System.Runtime.Serialization.Json.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Globalization.Calendars/Release/net8.0-windows/System.Globalization.Calendars.pdb source: System.Globalization.Calendars.dll.7.dr
          Source: Binary string: /_/artifacts/obj/mscorlib/Release/net8.0-windows/mscorlib.pdb source: mscorlib.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/Release/net8.0-windows/System.Security.Cryptography.Cng.pdb source: System.Security.Cryptography.Cng.dll.7.dr
          Source: Binary string: System.Reflection.DispatchProxy.ni.pdb source: System.Reflection.DispatchProxy.dll.7.dr
          Source: Binary string: System.Security.Principal.Windows.ni.pdb source: System.Security.Principal.Windows.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.IO.Compression.FileSystem/Release/net8.0-windows/System.IO.Compression.FileSystem.pdb source: System.IO.Compression.FileSystem.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: System.Net.NameResolution.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.ValueTuple/Release/net8.0-windows/System.ValueTuple.pdbSHA256b source: System.ValueTuple.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Xml.XmlDocument/Release/net8.0-windows/System.Xml.XmlDocument.pdbSHA256 source: System.Xml.XmlDocument.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256?) source: System.Runtime.InteropServices.RuntimeInformation.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdbSHA256F source: System.Reflection.Extensions.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.DispatchProxy\Release\net8.0\System.Reflection.DispatchProxy.pdb source: System.Reflection.DispatchProxy.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdb source: System.Diagnostics.Tools.dll.7.dr
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsc` source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616305982.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Private.CoreLib.ni.pdb source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp
          Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\wixca.pdb source: 475f70.msi.7.dr
          Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=664 -burn.filehandle.self=692 /qC:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Net.WebSockets.Client.ni.pdb source: System.Net.WebSockets.Client.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdbSHA256 source: System.ComponentModel.TypeConverter.dll.7.dr
          Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\uica.pdb source: 475f70.msi.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdb source: System.Reflection.Emit.ILGeneration.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Threading.Tasks/Release/net8.0-windows/System.Threading.Tasks.pdbSHA256 source: System.Threading.Tasks.dll.7.dr
          Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\burn.pdb source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000000.1461134092.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000000.1462308540.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1471849358.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000000.1468484307.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1616930829.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000002.1571261458.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000000.1566788944.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000000.1569512535.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000002.1677887533.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675238127.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000000.1570510009.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000000.1661713635.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000002.1673797690.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe.5.dr
          Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: EtEskrivare.exe, 0000000F.00000002.1810043122.000001E916114000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.AccessControl\Release\net8.0-windows\System.IO.FileSystem.AccessControl.pdb source: System.IO.FileSystem.AccessControl.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets\Release\net8.0-windows\System.Net.WebSockets.pdb source: System.Net.WebSockets.dll.7.dr
          Source: Binary string: dotnet-runtime-8.0.8-win-x64.exe:32:*28453093*EtEskrivare.deps.json:32:*222*EtEskrivare.dll:32:*2409*EtEskrivare.exe:32:*63645*EtEskrivare.pdb:32:*6414*EtEskrivare.runtimeconfig.json:32:*195*L source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: EtEskrivare.pdb source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.DispatchProxy\Release\net8.0\System.Reflection.DispatchProxy.pdbSHA256 source: System.Reflection.DispatchProxy.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TraceSource\Release\net8.0\System.Diagnostics.TraceSource.pdb source: System.Diagnostics.TraceSource.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815410566.00007FF8E8571000.00000020.00000001.01000000.00000019.sdmp
          Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: powershell.exe, 00000011.00000002.1775778757.00000133B6AC3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdb source: netstandard.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Data.DataSetExtensions/Release/net8.0-windows/System.Data.DataSetExtensions.pdbSHA256 source: System.Data.DataSetExtensions.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\hostpolicy\standalone\hostpolicy.pdb source: EtEskrivare.exe, 0000000F.00000002.1816730458.00007FF8F85C5000.00000002.00000001.01000000.00000012.sdmp
          Source: Binary string: System.Net.NameResolution.ni.pdb source: System.Net.NameResolution.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdb source: System.ComponentModel.TypeConverter.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Data.DataSetExtensions/Release/net8.0-windows/System.Data.DataSetExtensions.pdb source: System.Data.DataSetExtensions.dll.7.dr
          Source: Binary string: ncfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Use4 source: powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Reflection/Release/net8.0-windows/System.Reflection.pdb source: System.Reflection.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: System.Collections.Specialized.dll.7.dr
          Source: Binary string: DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFil source: powershell.exe, 00000011.00000002.1775529567.00000133B5140000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsrs\userwindir=C:\WindowsdowsdowsK source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618442951.0000000000240000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdbSHA256 source: System.Threading.Timer.dll.7.dr
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsrs\userwindir=C:\Windowsdowsdows source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1616774708.0000000000C70000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Text.Encodings.Web.ni.pdb source: System.Text.Encodings.Web.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\gc\clrgc.pdbMMMGCTL source: clrgc.dll.7.dr
          Source: Binary string: System.Diagnostics.TraceSource.ni.pdb source: System.Diagnostics.TraceSource.dll.7.dr
          Source: Binary string: C:\__w\1\s\artifacts\bin\windows\x64_Release_schannel\msquic.pdbbb6bUGP source: msquic.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: System.IO.FileSystem.DriveInfo.dll.7.dr
          Source: Binary string: C:\Users\user\AppData\Roaming\EtEskrivare.pdb source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E60000.00000004.00000020.00020000.00000000.sdmp, EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Diagnostics.Process.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816088461.00007FF8F8371000.00000020.00000001.01000000.00000016.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit\Release\net8.0\System.Reflection.Emit.pdb source: System.Reflection.Emit.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.AccessControl\Release\net8.0-windows\System.Security.AccessControl.pdb source: System.Security.AccessControl.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.VisualBasic.Core\Release\net8.0-windows\Microsoft.VisualBasic.Core.pdb source: Microsoft.VisualBasic.Core.dll.7.dr
          Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\burn.pdb4 source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000000.1461134092.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000000.1462308540.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1471849358.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000000.1468484307.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1616930829.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000002.1571261458.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000000.1566788944.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000000.1569512535.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000002.1677887533.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675238127.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000000.1570510009.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000000.1661713635.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000002.1673797690.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe.5.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815869712.00007FF8F82D1000.00000020.00000001.01000000.00000018.sdmp, System.Console.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Text.Encoding/Release/net8.0-windows/System.Text.Encoding.pdbSHA256r source: System.Text.Encoding.dll.7.dr
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146F0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Collections.NonGeneric.ni.pdb source: System.Collections.NonGeneric.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Threading.Tasks/Release/net8.0-windows/System.Threading.Tasks.pdb source: System.Threading.Tasks.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp
          Source: Binary string: \Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsZ source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1622037561.00000000025A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146FC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1774953336.00000133B4F50000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: :\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppD source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Security.Cryptography.ni.pdb source: System.Security.Cryptography.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Data.Common\Release\net8.0\System.Data.Common.pdb source: System.Data.Common.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net8.0\System.Diagnostics.Contracts.pdb source: System.Diagnostics.Contracts.dll.7.dr
          Source: Binary string: System.ComponentModel.TypeConverter.ni.pdb source: System.ComponentModel.TypeConverter.dll.7.dr
          Source: Binary string: System.Net.Requests.ni.pdb source: System.Net.Requests.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Reflection/Release/net8.0-windows/System.Reflection.pdbSHA256 source: System.Reflection.dll.7.dr
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsRo` source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Channels\Release\net8.0\System.Threading.Channels.pdb source: System.Threading.Channels.dll.7.dr
          Source: Binary string: \Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsx source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619628146.0000000002780000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\gc\clrgc.pdb source: clrgc.dll.7.dr
          Source: Binary string: :\Users\user\AppData\Roaming\ETESKR~1.PDB source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdb source: System.Text.Encodings.Web.dll.7.dr
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppD source: powershell.exe, 00000011.00000002.1801555679.00000133CF208000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Xml.XmlDocument/Release/net8.0-windows/System.Xml.XmlDocument.pdb source: System.Xml.XmlDocument.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdbSHA256 source: System.Reflection.Emit.ILGeneration.dll.7.dr
          Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1622037561.00000000025A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619628146.0000000002780000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816850376.00007FF8F8BB1000.00000020.00000001.01000000.00000017.sdmp, System.ComponentModel.Primitives.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\jit\clrjit.pdb source: EtEskrivare.exe, 0000000F.00000002.1816366531.00007FF8F8525000.00000002.00000001.01000000.00000015.sdmp
          Source: Binary string: System.Security.AccessControl.ni.pdb source: System.Security.AccessControl.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA256^ source: EtEskrivare.exe, 0000000F.00000002.1810003310.000001E916102000.00000002.00000001.01000000.00000023.sdmp
          Source: Binary string: C:\Users\user\AppData\Roaming\C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exedotnet-runtime-8.0.8-win-x64.exe /qC:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowso source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdbSHA256 source: System.Diagnostics.Debug.dll.7.dr
          Source: Binary string: System.Data.Common.ni.pdb source: System.Data.Common.dll.7.dr
          Source: Binary string: ::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet E source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616512485.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617142082.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: EtEskrivare.exe, 0000000F.00000002.1810003310.000001E916102000.00000002.00000001.01000000.00000023.sdmp
          Source: Binary string: System.Net.Primitives.ni.pdb source: System.Net.Primitives.dll.7.dr
          Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: c:
          Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00A91700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,4_2_00A91700
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00A93B2C FindFirstFileW,FindClose,4_2_00A93B2C
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00ACC1FB FindFirstFileExW,4_2_00ACC1FB
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AAB79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose,4_2_00AAB79F
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_00391700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,5_2_00391700
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003AB79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose,5_2_003AB79F
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_00393B2C FindFirstFileW,FindClose,5_2_00393B2C
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003CC1FB FindFirstFileExW,5_2_003CC1FB
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D5B79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose,6_2_00D5B79F
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D41700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,6_2_00D41700
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D43B2C FindFirstFileW,FindClose,6_2_00D43B2C
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D7C1FB FindFirstFileExW,6_2_00D7C1FB
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D63B2C FindFirstFileW,FindClose,9_2_00D63B2C
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D9C1FB FindFirstFileExW,9_2_00D9C1FB
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D7B79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose,9_2_00D7B79F
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D61700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,9_2_00D61700
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF66CB2CD20 GetFileAttributesExW,GetFullPathNameW,GetFullPathNameW,_invalid_parameter_noinfo_noreturn,GetFileAttributesExW,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,Concurrency::cancel_current_task,15_2_00007FF66CB2CD20
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85B0910 FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,15_2_00007FF8F85B0910
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5C58B0 FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,15_2_00007FF8FF5C58B0
          Source: C:\Users\user\Desktop\EtEskr.exeFile opened: C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp\4C82.tmpJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeFile opened: C:\Users\user\AppData\Jump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeFile opened: C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmpJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeFile opened: C:\Users\user\AppData\Local\Temp\4C80.tmpJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeFile opened: C:\Users\user\Jump to behavior

          Networking

          barindex
          Yara detected Generic Downloader
          Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\netstandard.dll, type: DROPPED
          Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.dll, type: DROPPED
          Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.dll, type: DROPPED
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: http://7-zip.org/sdk.html
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: http://angular.io/license
          Source: dotnet-runtime-8.0.8-win-x64.exeString found in binary or memory: http://appsyndication.org/2006/appsyn
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000000.1461134092.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000000.1462308540.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1471849358.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000000.1468484307.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1616930829.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000002.1571261458.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000000.1566788944.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000000.1569512535.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000002.1677887533.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675238127.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000000.1570510009.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000000.1661713635.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000002.1673797690.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe.5.drString found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
          Source: 475f70.msi.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
          Source: 475f70.msi.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
          Source: 475f70.msi.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
          Source: 475f70.msi.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
          Source: 475f70.msi.7.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: http://creativecommons.org/publicdomain/zero/1.0/
          Source: 475f70.msi.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
          Source: 475f70.msi.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
          Source: 475f70.msi.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
          Source: 475f70.msi.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
          Source: 475f70.msi.7.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
          Source: 475f70.msi.7.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: http://llvm.org
          Source: powershell.exe, 00000011.00000002.1796348903.00000133C6E7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: 475f70.msi.7.drString found in binary or memory: http://ocsp.digicert.com0A
          Source: 475f70.msi.7.drString found in binary or memory: http://ocsp.digicert.com0C
          Source: 475f70.msi.7.drString found in binary or memory: http://ocsp.digicert.com0O
          Source: 475f70.msi.7.drString found in binary or memory: http://ocsp.digicert.com0X
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: http://opensource.org/licenses/MIT
          Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: System.Security.Principal.Windows.dll.7.drString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
          Source: powershell.exe, 00000011.00000002.1775869136.00000133B6E11000.00000004.00000800.00020000.00000000.sdmp, System.Security.Principal.Windows.dll.7.drString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: http://sourceforge.net/projects/slicing-by-8/
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000002.1571589826.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000003.1570517105.0000000000FFD000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000003.1567966470.0000000000FFD000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000003.1677392852.000000000117D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000003.1677508523.000000000117E000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000002.1678099279.000000000114F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000003.1570121590.000000000117D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000003.1677247150.0000000001520000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000003.1570121590.000000000115D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000002.1678216920.000000000117F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000003.1677480385.000000000114C000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1572901456.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000003.1672234596.000000000073D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000002.1672689664.000000000073D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000003.1671894909.0000000002860000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000003.1662198412.000000000071E000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000003.1672097034.000000000073D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://standards.iso.org/iso/19770/-2/2015/schema.xsd
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619746413.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, thm.xml.5.dr, thm.xml.11.drString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619746413.0000000002AF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010(
          Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010Hd
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: 475f70.msi.7.drString found in binary or memory: http://www.digicert.com/CPS0
          Source: powershell.exe, 00000011.00000002.1801555679.00000133CF1E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: http://www.mono-project.com/docs/about-mono/
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: http://www.novell.com)
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: http://www.ookii.org/software/dialogs/
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: http://www.opensource.org/licenses/bsd-license.html.
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: http://www.ryanjuckett.com/
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: http://www.xamarin.com)
          Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675574720.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674946812.0000000001377000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674487308.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.0000000001378000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675697765.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.drString found in binary or memory: https://aka.ms/20-p2-rel-notes
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.drString found in binary or memory: https://aka.ms/20-p2-rel-notes">Release
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/20-p2-rel-notesi
          Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmpString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
          Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5C95000.00000020.00000001.01000000.00000014.sdmp, EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp, System.ComponentModel.TypeConverter.dll.7.drString found in binary or memory: https://aka.ms/binaryformatter
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618160355.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675697765.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674946812.0000000001377000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674605915.00000000013AB000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.0000000001378000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.drString found in binary or memory: https://aka.ms/dev-privacy
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.drString found in binary or memory: https://aka.ms/dev-privacy">Privacy
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619746413.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618136605.0000000000513000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674946812.0000000001377000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.0000000001378000.00000004.00000020.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.drString found in binary or memory: https://aka.ms/dotnet-cli-telemetry
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.drString found in binary or memory: https://aka.ms/dotnet-cli-telemetry">.NET
          Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-cli-telemetryy?
          Source: EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
          Source: EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?Architecture:
          Source: EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.drString found in binary or memory: https://aka.ms/dotnet-core-applaunch?framework=&framework_version=missing_runtime=true&arch=&rid=&os
          Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.drString found in binary or memory: https://aka.ms/dotnet-docs
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.drString found in binary or memory: https://aka.ms/dotnet-docs">Documentation</A>
          Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5C95000.00000020.00000001.01000000.00000014.sdmp, EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/com
          Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5C95000.00000020.00000001.01000000.00000014.sdmp, EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehost
          Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5C95000.00000020.00000001.01000000.00000014.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehostt
          Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.000000000138F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-license-windo
          Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.drString found in binary or memory: https://aka.ms/dotnet-license-windows
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.drString found in binary or memory: https://aka.ms/dotnet-license-windows">Licensing
          Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-license-windowsON9;
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-license-windowsl
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618160355.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618036147.000000000051E000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674946812.0000000001377000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.0000000001378000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.drString found in binary or memory: https://aka.ms/dotnet-tutorials
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.drString found in binary or memory: https://aka.ms/dotnet-tutorials">Tutorials</A>
          Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675574720.0000000001370000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-tutorialsX
          Source: System.Security.Cryptography.dll.7.drString found in binary or memory: https://aka.ms/dotnet-warnings/
          Source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.drString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
          Source: EtEskrivare.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failedDownload
          Source: EtEskrivare.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failedTo
          Source: EtEskrivare.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failedWould
          Source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.drString found in binary or memory: https://aka.ms/dotnet/download
          Source: EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.drString found in binary or memory: https://aka.ms/dotnet/downloadUsage:
          Source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.drString found in binary or memory: https://aka.ms/dotnet/info
          Source: EtEskrivare.exeString found in binary or memory: https://aka.ms/dotnet/sdk-not-found
          Source: EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.drString found in binary or memory: https://aka.ms/dotnet/sdk-not-foundFailed
          Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
          Source: powershell.exe, 00000011.00000002.1775869136.00000133B6E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: System.Data.Common.dll.7.drString found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
          Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
          Source: eula.rtf.11.drString found in binary or memory: https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://arxiv.org/pdf/2102.06959.pdf
          Source: powershell.exe, 00000011.00000002.1796348903.00000133C6E7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000011.00000002.1796348903.00000133C6E7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000011.00000002.1796348903.00000133C6E7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000003.1671894909.0000000002860000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000003.1670154868.0000000002CDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dot.net/core
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000002.1672689664.000000000070F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000003.1672159912.000000000070C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dot.net/core:
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dot.net/coreL
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621736559.00000000006CF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000003.1621212291.00000000006CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dot.net/coreP
          Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dot.net/corej7
          Source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1469104382.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616367866.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617063137.0000000000E3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dot.net/corev
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/BurntSushi/aho-corasick
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json/blob/master/LICENSE.md
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/Microsoft/MSBuildLocator
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/Microsoft/RoslynClrHeapAllocationAnalyzer
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/NuGet/NuGet.Client/blob/dev/LICENSE.txt
          Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/SixLabors/ImageSharp/blob/f4f689ce67ecbcc35cebddba5aacb603e6d1068a/LICENSE
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/SixLabors/ImageSharp/blob/f4f689ce67ecbcc35cebddba5aacb603e6d1068a/src/ImageSharp
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/WojciechMula/sse4-strstr)
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/aappleby/smhasher/blob/master/src/MurmurHash3.cpp
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/dotnet/aspnetcore/blob/main/LICENSE.txt
          Source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816850376.00007FF8F8BB1000.00000020.00000001.01000000.00000017.sdmp, EtEskrivare.exe, 0000000F.00000002.1815219735.00007FF8E8551000.00000020.00000001.01000000.0000001B.sdmp, EtEskrivare.exe, 0000000F.00000002.1815869712.00007FF8F82D1000.00000020.00000001.01000000.00000018.sdmp, EtEskrivare.exe, 0000000F.00000002.1809939574.000001E9160F2000.00000002.00000001.01000000.00000022.sdmp, EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5C95000.00000020.00000001.01000000.00000014.sdmp, EtEskrivare.exe, 0000000F.00000002.1810003310.000001E916102000.00000002.00000001.01000000.00000023.sdmp, EtEskrivare.exe, 0000000F.00000002.1809798300.000001E915FD2000.00000002.00000001.01000000.00000021.sdmp, EtEskrivare.exe, 0000000F.00000002.1816088461.00007FF8F8371000.00000020.00000001.01000000.00000016.sdmp, EtEskrivare.exe, 0000000F.00000002.1815663224.00007FF8F0D01000.00000020.00000001.01000000.0000001A.sdmp, EtEskrivare.exe, 0000000F.00000002.1815410566.00007FF8E8571000.00000020.00000001.01000000.00000019.sdmp, System.Diagnostics.Tools.dll.7.dr, System.Text.Encodings.Web.dll.7.dr, System.Xml.XmlSerializer.dll.7.dr, System.ComponentModel.TypeConverter.dll.7.dr, System.Drawing.Primitives.dll.7.dr, System.ComponentModel.dll.7.dr, System.IO.Compression.FileSystem.dll.7.dr, System.Threading.Timer.dll.7.dr, System.Runtime.Serialization.Json.dll.7.dr, System.Net.NetworkInformation.dll.7.drString found in binary or memory: https://github.com/dotnet/runtime
          Source: System.Threading.Tasks.dll.7.drString found in binary or memory: https://github.com/dotnet/runtime#~
          Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmpString found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
          Source: System.ComponentModel.TypeConverter.dll.7.drString found in binary or memory: https://github.com/dotnet/runtime/issues/50821
          Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/71847
          Source: System.Resources.Reader.dll.7.drString found in binary or memory: https://github.com/dotnet/runtime0
          Source: System.Reflection.Extensions.dll.7.drString found in binary or memory: https://github.com/dotnet/runtime7
          Source: mscorlib.dll.7.dr, System.Configuration.dll.7.drString found in binary or memory: https://github.com/dotnet/runtime;
          Source: System.Dynamic.Runtime.dll.7.drString found in binary or memory: https://github.com/dotnet/runtime?
          Source: System.Diagnostics.Debug.dll.7.drString found in binary or memory: https://github.com/dotnet/runtimeI_#
          Source: System.Globalization.Calendars.dll.7.drString found in binary or memory: https://github.com/dotnet/runtime_
          Source: System.Reflection.dll.7.drString found in binary or memory: https://github.com/dotnet/runtimed5
          Source: System.Diagnostics.Tools.dll.7.drString found in binary or memory: https://github.com/dotnet/runtimeiT
          Source: netstandard.dll.7.drString found in binary or memory: https://github.com/dotnet/runtimem
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/dotnet/templating/blob/main/build/nuget.exe
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/intel/isa-l/blob/33a2d9484595c2d6516c920ce39a694c144ddf69/crc/crc32_ieee_by4.asm
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/intel/isa-l/blob/33a2d9484595c2d6516c920ce39a694c144ddf69/crc/crc64_ecma_norm_by8
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/lemire/fastmod)
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/lemire/fastrange)
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/madler/zlib
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/microsoft/DirectXMath/blob/master/LICENSE
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/microsoft/msquic/blob/main/LICENSE
          Source: System.Data.Common.dll.7.drString found in binary or memory: https://github.com/mono/linker/issues/1187
          Source: System.ComponentModel.TypeConverter.dll.7.dr, Microsoft.VisualBasic.Core.dll.7.dr, System.Reflection.DispatchProxy.dll.7.drString found in binary or memory: https://github.com/mono/linker/issues/1731
          Source: System.ComponentModel.TypeConverter.dll.7.drString found in binary or memory: https://github.com/mono/linker/issues/1895v
          Source: System.Data.Common.dll.7.drString found in binary or memory: https://github.com/mono/linker/issues/1981
          Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp, Microsoft.VisualBasic.Core.dll.7.drString found in binary or memory: https://github.com/mono/linker/issues/378
          Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmpString found in binary or memory: https://github.com/mono/linker/pull/649
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/nigeltao/parse-number-fxx-test-data)
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/ucb-bar/berkeley-softfloat-3
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://github.com/ucb-bar/berkeley-softfloat-3/blob/master/COPYING.txt
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://llvm.org/LICENSE.txt
          Source: powershell.exe, 00000011.00000002.1796348903.00000133C6E7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://opensource.org/licenses/MIT
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://sindresorhus.com)
          Source: 475f70.msi.7.drString found in binary or memory: https://wixtoolset.org/
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://www.unicode.org/copyright.html.
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://www.unicode.org/license.html
          Source: ThirdPartyNotices.txt.7.drString found in binary or memory: https://zlib.net/zlib_license.html
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\475f6c.msiJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI642F.tmpJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA}Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI65A7.tmpJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\475f6f.msiJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\475f6f.msiJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI814E.tmpJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\475f70.msiJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI87B7.tmpJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{7FE24458-0796-4428-99C2-9A0F8DAB93CC}Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8864.tmpJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\475f73.msiJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\475f73.msiJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8902.tmpJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\475f74.msiJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8B45.tmpJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{3BA242F8-BDB5-4096-9FBC-333CD663BBAD}Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C11.tmpJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\475f77.msiJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\475f77.msiJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8E25.tmpJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeFile deleted: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeCode function: 0_2_0040E9500_2_0040E950
          Source: C:\Users\user\Desktop\EtEskr.exeCode function: 0_2_004105E00_2_004105E0
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00ACF0184_2_00ACF018
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AD406A4_2_00AD406A
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AC71EE4_2_00AC71EE
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AC22994_2_00AC2299
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AC25604_2_00AC2560
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AC757C4_2_00AC757C
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00ACA7B34_2_00ACA7B3
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AC281B4_2_00AC281B
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00ACEB904_2_00ACEB90
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AC1C7D4_2_00AC1C7D
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AB5D9B4_2_00AB5D9B
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00ABDE464_2_00ABDE46
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00A97FA94_2_00A97FA9
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AC1FEF4_2_00AC1FEF
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003CF0185_2_003CF018
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003D406A5_2_003D406A
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003C71EE5_2_003C71EE
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003C22995_2_003C2299
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003C757C5_2_003C757C
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003C25605_2_003C2560
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003CA7B35_2_003CA7B3
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003C281B5_2_003C281B
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003CEB905_2_003CEB90
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003C1C7D5_2_003C1C7D
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003B5D9B5_2_003B5D9B
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003BDE465_2_003BDE46
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_00397FA95_2_00397FA9
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003C1FEF5_2_003C1FEF
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D65D9B6_2_00D65D9B
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D8406A6_2_00D8406A
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D7F0186_2_00D7F018
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D771EE6_2_00D771EE
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D722996_2_00D72299
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D7757C6_2_00D7757C
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D725606_2_00D72560
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D7A7B36_2_00D7A7B3
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D7281B6_2_00D7281B
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D7EB906_2_00D7EB90
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D71C7D6_2_00D71C7D
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D6DE466_2_00D6DE46
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D71FEF6_2_00D71FEF
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D47FA96_2_00D47FA9
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00DA406A9_2_00DA406A
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D9F0189_2_00D9F018
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D971EE9_2_00D971EE
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D922999_2_00D92299
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D9757C9_2_00D9757C
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D925609_2_00D92560
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D9A7B39_2_00D9A7B3
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D9281B9_2_00D9281B
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D9EB909_2_00D9EB90
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D91C7D9_2_00D91C7D
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D85D9B9_2_00D85D9B
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D8DE469_2_00D8DE46
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D91FEF9_2_00D91FEF
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D67FA99_2_00D67FA9
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF66CB2BD8015_2_00007FF66CB2BD80
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF66CB2E65015_2_00007FF66CB2E650
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF66CB2C81015_2_00007FF66CB2C810
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF66CB2F01015_2_00007FF66CB2F010
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF66CB2CD2015_2_00007FF66CB2CD20
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF66CB22DB015_2_00007FF66CB22DB0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF66CB2729015_2_00007FF66CB27290
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF66CB2AA7015_2_00007FF66CB2AA70
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF66CB230E015_2_00007FF66CB230E0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF66CB244E015_2_00007FF66CB244E0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8E857752015_2_00007FF8E8577520
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8E8575F1015_2_00007FF8E8575F10
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8E857B18015_2_00007FF8E857B180
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8E857F66015_2_00007FF8E857F660
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8E857E40015_2_00007FF8E857E400
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8E8576EE015_2_00007FF8E8576EE0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8E857C2B015_2_00007FF8E857C2B0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F0D06DB015_2_00007FF8F0D06DB0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8475E5015_2_00007FF8F8475E50
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83EB4C015_2_00007FF8F83EB4C0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83FA94015_2_00007FF8F83FA940
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83D397015_2_00007FF8F83D3970
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83E897015_2_00007FF8F83E8970
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F843190015_2_00007FF8F8431900
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83DE93015_2_00007FF8F83DE930
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F847792015_2_00007FF8F8477920
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F847092015_2_00007FF8F8470920
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83C49D015_2_00007FF8F83C49D0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F840D9F415_2_00007FF8F840D9F4
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83D79F015_2_00007FF8F83D79F0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F84139E015_2_00007FF8F84139E0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83F899415_2_00007FF8F83F8994
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83D6A5015_2_00007FF8F83D6A50
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83FEA6015_2_00007FF8F83FEA60
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8445AF015_2_00007FF8F8445AF0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83EFA9815_2_00007FF8F83EFA98
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F841AAA415_2_00007FF8F841AAA4
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83E3BC815_2_00007FF8F83E3BC8
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83F1BE415_2_00007FF8F83F1BE4
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8439C5015_2_00007FF8F8439C50
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8436C7015_2_00007FF8F8436C70
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8499C6015_2_00007FF8F8499C60
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83E4BF815_2_00007FF8F83E4BF8
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8448CD015_2_00007FF8F8448CD0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F842CD4C15_2_00007FF8F842CD4C
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83D8D3815_2_00007FF8F83D8D38
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8460D5015_2_00007FF8F8460D50
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F851CD7015_2_00007FF8F851CD70
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F845DD2015_2_00007FF8F845DD20
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83C7E4015_2_00007FF8F83C7E40
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F851AE6C15_2_00007FF8F851AE6C
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8444E4415_2_00007FF8F8444E44
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F84B3E6815_2_00007FF8F84B3E68
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83C1E1C15_2_00007FF8F83C1E1C
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8468ED815_2_00007FF8F8468ED8
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8427E8815_2_00007FF8F8427E88
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8512E7815_2_00007FF8F8512E78
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F84B4EB415_2_00007FF8F84B4EB4
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83CCF1015_2_00007FF8F83CCF10
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83E7F2015_2_00007FF8F83E7F20
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F846DFD015_2_00007FF8F846DFD0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8428FF415_2_00007FF8F8428FF4
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83CEF7C15_2_00007FF8F83CEF7C
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8431F9415_2_00007FF8F8431F94
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F849BF8015_2_00007FF8F849BF80
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8448F8015_2_00007FF8F8448F80
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F848BFB015_2_00007FF8F848BFB0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F851B07C15_2_00007FF8F851B07C
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83F20B015_2_00007FF8F83F20B0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F843714015_2_00007FF8F8437140
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F845E17015_2_00007FF8F845E170
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83D810015_2_00007FF8F83D8100
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F84B41C415_2_00007FF8F84B41C4
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83CB18015_2_00007FF8F83CB180
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F84C218415_2_00007FF8F84C2184
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F84101A015_2_00007FF8F84101A0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83DB24015_2_00007FF8F83DB240
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83E524015_2_00007FF8F83E5240
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83D324C15_2_00007FF8F83D324C
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83E626015_2_00007FF8F83E6260
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F846C2B815_2_00007FF8F846C2B8
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F84672C015_2_00007FF8F84672C0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F84152F015_2_00007FF8F84152F0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83CE27815_2_00007FF8F83CE278
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83D633815_2_00007FF8F83D6338
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F84A032015_2_00007FF8F84A0320
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F849B39015_2_00007FF8F849B390
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83C437815_2_00007FF8F83C4378
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83F03B015_2_00007FF8F83F03B0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F848039815_2_00007FF8F8480398
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F84273A015_2_00007FF8F84273A0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F851F45815_2_00007FF8F851F458
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F840B47C15_2_00007FF8F840B47C
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83F656415_2_00007FF8F83F6564
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F848457015_2_00007FF8F8484570
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F847853015_2_00007FF8F8478530
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83E05B415_2_00007FF8F83E05B4
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83CF60015_2_00007FF8F83CF600
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F843D61015_2_00007FF8F843D610
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F843660015_2_00007FF8F8436600
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85205F815_2_00007FF8F85205F8
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F84506D415_2_00007FF8F84506D4
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F84716D415_2_00007FF8F84716D4
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83C26B815_2_00007FF8F83C26B8
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83F46C815_2_00007FF8F83F46C8
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83E26E815_2_00007FF8F83E26E8
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F844768015_2_00007FF8F8447680
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F844476C15_2_00007FF8F844476C
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F847C77015_2_00007FF8F847C770
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F850C71815_2_00007FF8F850C718
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F848A7D015_2_00007FF8F848A7D0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83E67C015_2_00007FF8F83E67C0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F84277D415_2_00007FF8F84277D4
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F84087C015_2_00007FF8F84087C0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F840B7C415_2_00007FF8F840B7C4
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F847B7F015_2_00007FF8F847B7F0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F845282015_2_00007FF8F8452820
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83C68A015_2_00007FF8F83C68A0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F841B89815_2_00007FF8F841B898
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F859C14015_2_00007FF8F859C140
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85B22F015_2_00007FF8F85B22F0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85AF34015_2_00007FF8F85AF340
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F858330015_2_00007FF8F8583300
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F859AE0015_2_00007FF8F859AE00
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85A169015_2_00007FF8F85A1690
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85A2E9015_2_00007FF8F85A2E90
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8592F9015_2_00007FF8F8592F90
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85AE8C015_2_00007FF8F85AE8C0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85B091015_2_00007FF8F85B0910
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85969A015_2_00007FF8F85969A0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F858F99015_2_00007FF8F858F990
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85AD26015_2_00007FF8F85AD260
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85852EB15_2_00007FF8F85852EB
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8593AB015_2_00007FF8F8593AB0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85893A015_2_00007FF8F85893A0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8595BB015_2_00007FF8F8595BB0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85B841015_2_00007FF8F85B8410
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85A44B015_2_00007FF8F85A44B0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85A3D3015_2_00007FF8F85A3D30
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85AA5C015_2_00007FF8F85AA5C0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85A5E5015_2_00007FF8F85A5E50
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85B161015_2_00007FF8F85B1610
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85B8F3015_2_00007FF8F85B8F30
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85A779015_2_00007FF8F85A7790
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F859186015_2_00007FF8F8591860
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F858702015_2_00007FF8F8587020
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85918B915_2_00007FF8F85918B9
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85B58D015_2_00007FF8F85B58D0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85948A015_2_00007FF8F85948A0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85B70B015_2_00007FF8F85B70B0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5C58B015_2_00007FF8FF5C58B0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5AFF7015_2_00007FF8FF5AFF70
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5AC71E15_2_00007FF8FF5AC71E
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5B352015_2_00007FF8FF5B3520
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5A246015_2_00007FF8FF5A2460
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5C734015_2_00007FF8FF5C7340
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5CAF6015_2_00007FF8FF5CAF60
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5C475015_2_00007FF8FF5C4750
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5CD7C115_2_00007FF8FF5CD7C1
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5BFE4015_2_00007FF8FF5BFE40
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5BE61015_2_00007FF8FF5BE610
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5C26C015_2_00007FF8FF5C26C0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5AEDF015_2_00007FF8FF5AEDF0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5A8C7015_2_00007FF8FF5A8C70
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5B74E015_2_00007FF8FF5B74E0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5C3CD015_2_00007FF8FF5C3CD0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5CC35015_2_00007FF8FF5CC350
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5D031015_2_00007FF8FF5D0310
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5BD3A015_2_00007FF8FF5BD3A0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: String function: 00007FF8F85AAA50 appears 50 times
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: String function: 00007FF8FF5BE9F0 appears 61 times
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: String function: 00007FF8F85067E4 appears 66 times
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: String function: 00007FF8F85AADA0 appears 31 times
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: String function: 00007FF8F85AA9A0 appears 101 times
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: String function: 00007FF8F85AAB00 appears 96 times
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: String function: 00007FF8FF5BEB50 appears 125 times
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: String function: 00007FF8F84C9C3C appears 166 times
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00A913B3 appears 503 times
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00AD53E7 appears 683 times
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00A929F6 appears 54 times
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00AD58CE appears 34 times
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00AD7952 appears 79 times
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00AC0B80 appears 33 times
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00DA53E7 appears 683 times
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00D629F6 appears 54 times
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00D90B80 appears 33 times
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00D613B3 appears 503 times
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00DA58CE appears 34 times
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00DA7952 appears 79 times
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00D858CE appears 34 times
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00D413B3 appears 503 times
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00D853E7 appears 683 times
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00D429F6 appears 54 times
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00D87952 appears 79 times
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 00D70B80 appears 33 times
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 003D58CE appears 34 times
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 003913B3 appears 503 times
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 003D7952 appears 79 times
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 003C0B80 appears 33 times
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 003929F6 appears 54 times
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: String function: 003D53E7 appears 683 times
          Source: System.Reflection.Emit.dll.7.drStatic PE information: No import functions for PE file found
          Source: System.IO.Compression.ZipFile.dll.7.drStatic PE information: No import functions for PE file found
          Source: System.Private.CoreLib.dll.7.drStatic PE information: No import functions for PE file found
          Source: System.Text.Encoding.CodePages.dll.7.drStatic PE information: No import functions for PE file found
          Source: System.IO.FileSystem.AccessControl.dll.7.drStatic PE information: No import functions for PE file found
          Source: System.Security.Cryptography.dll.7.drStatic PE information: No import functions for PE file found
          Source: System.Diagnostics.FileVersionInfo.dll.7.drStatic PE information: No import functions for PE file found
          Source: EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEtEskrivare.dll8 vs EtEskr.exe
          Source: EtEskr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: System.IO.FileSystem.AccessControl.dll.7.dr, FileSystemAclExtensions.csSecurity API names: fileInfo.GetAccessControl
          Source: System.IO.FileSystem.AccessControl.dll.7.dr, FileSystemSecurity.csSecurity API names: ((CommonObjectSecurity)this).AddAccessRule
          Source: System.IO.FileSystem.AccessControl.dll.7.dr, FileSystemSecurity.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.GetAccessControlSectionsFromChanges()
          Source: System.IO.FileSystem.AccessControl.dll.7.dr, FileSystemSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.GetAccessRules(bool, bool, System.Type)
          Source: classification engineClassification label: mal80.troj.evad.winEXE@29/318@0/0
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00A92A4C FormatMessageW,GetLastError,LocalFree,4_2_00A92A4C
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00A962C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,4_2_00A962C2
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003962C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,5_2_003962C2
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D462C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,6_2_00D462C2
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D662C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,9_2_00D662C2
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AD76B2 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,4_2_00AD76B2
          Source: C:\Users\user\Desktop\EtEskr.exeCode function: 0_2_004026B8 LoadResource,SizeofResource,FreeResource,0_2_004026B8
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AB8718 ChangeServiceConfigW,GetLastError,4_2_00AB8718
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeFile created: C:\Program Files\dotnetJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeFile created: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4700:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_03
          Source: C:\Users\user\Desktop\EtEskr.exeFile created: C:\Users\user\AppData\Local\Temp\4C80.tmpJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp\4C82.bat C:\Users\user\Desktop\EtEskr.exe"
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: cabinet.dll4_2_00A910E1
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: msi.dll4_2_00A910E1
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: version.dll4_2_00A910E1
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: wininet.dll4_2_00A910E1
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: comres.dll4_2_00A910E1
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: clbcatq.dll4_2_00A910E1
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: msasn1.dll4_2_00A910E1
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: crypt32.dll4_2_00A910E1
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: feclient.dll4_2_00A910E1
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: cabinet.dll4_2_00A910E1
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: `=5_2_003910E1
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: x=5_2_003910E1
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: version.dll5_2_003910E1
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: wininet.dll5_2_003910E1
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: comres.dll5_2_003910E1
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: clbcatq.dll5_2_003910E1
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: =5_2_003910E1
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: crypt32.dll5_2_003910E1
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: feclient.dll5_2_003910E1
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: cabinet.dll5_2_003910E1
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: cabinet.dll6_2_00D410E1
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: msi.dll6_2_00D410E1
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: version.dll6_2_00D410E1
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: wininet.dll6_2_00D410E1
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: comres.dll6_2_00D410E1
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: clbcatq.dll6_2_00D410E1
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: msasn1.dll6_2_00D410E1
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: crypt32.dll6_2_00D410E1
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: feclient.dll6_2_00D410E1
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: cabinet.dll6_2_00D410E1
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: cabinet.dll9_2_00D610E1
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: msi.dll9_2_00D610E1
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: version.dll9_2_00D610E1
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: wininet.dll9_2_00D610E1
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: comres.dll9_2_00D610E1
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: clbcatq.dll9_2_00D610E1
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: msasn1.dll9_2_00D610E1
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: crypt32.dll9_2_00D610E1
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: feclient.dll9_2_00D610E1
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCommand line argument: cabinet.dll9_2_00D610E1
          Source: C:\Users\user\Desktop\EtEskr.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 475f70.msi.7.drBinary or memory string: SELECT `WixDependencyProvider`.`WixDependencyProvider`, `WixDependencyProvider`.`Component_`, `WixDependencyProvider`.`ProviderKey`, `WixDependencyProvider`.`Attributes` FROM `WixDependencyProvider`SELECT `WixDependency`.`WixDependency`, `WixDependencyProvider`.`Component_`, `WixDependency`.`ProviderKey`, `WixDependency`.`MinVersion`, `WixDependency`.`MaxVersion`, `WixDependency`.`Attributes` FROM `WixDependencyProvider`, `WixDependency`, `WixDependencyRef` WHERE `WixDependency`.`WixDependency` = `WixDependencyRef`.`WixDependency_` AND `WixDependencyProvider`.`WixDependencyProvider` = `WixDependencyRef`.`WixDependencyProvider_`WixDependencyRequireFailed to initialize.Failed to initialize the registry functions.ALLUSERSFailed to ensure required dependencies for (re)installing components.WixDependencyCheckFailed to ensure absent dependents for uninstalling components.WixDependencySkipping the dependency check since no dependencies are authored.Failed to check if the WixDependency table exists.Failed to initialize the unique dependency string list.Failed to open the query view for dependencies.Failed to get WixDependency.WixDependency.Failed to get WixDependencyProvider.Component_.Skipping dependency check for %ls because the component %ls is not being (re)installed.Failed to get WixDependency.ProviderKey.Failed to get WixDependency.MinVersion.Failed to get WixDependency.MaxVersion.Failed to get WixDependency.Attributes.Failed dependency check for %ls.Failed to enumerate all of the rows in the dependency query view.Failed to create the dependency record for message %d.Unexpected message response %d from user or bootstrapper application.Failed to get the ignored dependents.ALLFailed to check if "ALL" was set in IGNOREDEPENDENCIES.Skipping the dependencies check since IGNOREDEPENDENCIES contains "ALL".WixDependencyProviderSkipping the dependents check since no dependency providers are authored.Failed to check if the WixDependencyProvider table exists.Failed to open the query view for dependency providers.Failed to get WixDependencyProvider.WixDependencyProvider.Failed to get WixDependencyProvider.Component.Skipping dependents check for %ls because the component %ls is not being uninstalled.Failed to get WixDependencyProvider.ProviderKey.Failed to get WixDependencyProvider.Attributes.Failed dependents check for %ls.Failed to enumerate all of the rows in the dependency provider query view.;IGNOREDEPENDENCIESFailed to get the string value of the IGNOREDEPENDENCIES property.Failed to create the string dictionary.Failed to ignored dependency "%ls" to the string dictionary.c:\agent\_work\36\s\wix\src\ext\dependencyextension\ca\wixdepca.cppNot enough memory to create the message record.Failed to set the message identifier into the message record.Failed to set the number of dependencies into the message record.The dependency "%ls" is missing or is not the required version.Found dependent "%ls", name: "%ls".Failed to set the dependency key "%ls" into the messa
          Source: dotnet-runtime-8.0.8-win-x64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
          Source: dotnet-runtime-8.0.8-win-x64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
          Source: dotnet-runtime-8.0.8-win-x64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
          Source: dotnet-runtime-8.0.8-win-x64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
          Source: EtEskrivare.exeString found in binary or memory: %s App: %s Architecture: %s App host version: %s .NET location: %s Learn more: https://aka.ms/dotnet/app-launch-failed Download
          Source: EtEskrivare.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
          Source: EtEskrivare.exeString found in binary or memory: Learn more: https://aka.ms/dotnet/app-launch-failed Would you like to download it now?
          Source: EtEskrivare.exeString found in binary or memory: Learn more: https://aka.ms/dotnet/app-launch-failed To install missing framework, download: %s
          Source: EtEskrivare.exeString found in binary or memory: --help
          Source: EtEskrivare.exeString found in binary or memory: --help
          Source: EtEskrivare.exeString found in binary or memory: -h|--help Displays this help.
          Source: EtEskrivare.exeString found in binary or memory: -h|--help Displays this help.
          Source: EtEskrivare.exeString found in binary or memory: Learn more:https://aka.ms/dotnet/app-launch-failedTo install missing framework, download:%s
          Source: EtEskrivare.exeString found in binary or memory: %sApp: %sArchitecture: %sApp host version: %s.NET location: %sLearn more:https://aka.ms/dotnet/app-launch-failedDownload
          Source: EtEskrivare.exeString found in binary or memory: Learn more:https://aka.ms/dotnet/app-launch-failedWould you like to download it now?
          Source: unknownProcess created: C:\Users\user\Desktop\EtEskr.exe "C:\Users\user\Desktop\EtEskr.exe"
          Source: C:\Users\user\Desktop\EtEskr.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp\4C82.bat C:\Users\user\Desktop\EtEskr.exe"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe dotnet-runtime-8.0.8-win-x64.exe /q
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeProcess created: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe "C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=664 -burn.filehandle.self=692 /q
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeProcess created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe "C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA8E} {A5C335EB-CE59-4F47-9169-F2843E8F963C} 7076
          Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B9E5D64A3023B24E1C83A523BE5C5639
          Source: unknownProcess created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" /burn.runonce
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeProcess created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550.log"
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeProcess created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550.log"
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3909D66778F6C5107F8B15D5ECB299A6
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B854354A711E3251713D5F3210D22CCB
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\EtEskrivare.exe EtEskrivare.exe
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT "
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeProcess created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{90908595-DBF2-48E3-B425-27B7CE5D8A50} {A89BB288-DC86-46DD-9CDA-AF6EDBCB231B} 6500
          Source: C:\Users\user\Desktop\EtEskr.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp\4C82.bat C:\Users\user\Desktop\EtEskr.exe"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe dotnet-runtime-8.0.8-win-x64.exe /qJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\EtEskrivare.exe EtEskrivare.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeProcess created: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe "C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=664 -burn.filehandle.self=692 /qJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeProcess created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe "C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA8E} {A5C335EB-CE59-4F47-9169-F2843E8F963C} 7076Jump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B9E5D64A3023B24E1C83A523BE5C5639Jump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3909D66778F6C5107F8B15D5ECB299A6Jump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B854354A711E3251713D5F3210D22CCBJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeProcess created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550.log"Jump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeProcess created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550.log"
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT "
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msxml3.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeSection loaded: feclient.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msi.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msxml3.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: feclient.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: explorerframe.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msi.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msxml3.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: srclient.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: spp.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: vssapi.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: vsstrace.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: usoapi.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: feclient.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: srpapi.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: tsappcmp.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msi.dllJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: version.dllJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msxml3.dllJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wldp.dllJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: profapi.dllJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: kernel.appcore.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: cryptbase.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msi.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: version.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: cabinet.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msxml3.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: windows.storage.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wldp.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: profapi.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: apphelp.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: kernel.appcore.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: cryptbase.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msi.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: version.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: cabinet.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msxml3.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: windows.storage.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wldp.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: profapi.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: feclient.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: iertutil.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: uxtheme.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: textinputframework.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: coreuicomponents.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: coremessaging.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: ntmarta.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wintypes.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wintypes.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wintypes.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msimg32.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: windowscodecs.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: explorerframe.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: textshaping.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: propsys.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: edputil.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: urlmon.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: srvcli.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: netutils.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: windows.staterepositoryps.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: sspicli.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: appresolver.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: bcp47langs.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: slc.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: userenv.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: sppc.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: onecoreuapcommonproxystub.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: mpr.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: pcacli.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: sfc_os.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeSection loaded: apphelp.dll
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: kernel.appcore.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: cryptbase.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msi.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: version.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: cabinet.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: msxml3.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: windows.storage.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wldp.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: profapi.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: uxtheme.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: textinputframework.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: coreuicomponents.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: coremessaging.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: ntmarta.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wintypes.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wintypes.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: wintypes.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: srclient.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: spp.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: powrprof.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: vssapi.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: vsstrace.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: umpdc.dll
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeSection loaded: usoapi.dll
          Source: C:\Users\user\Desktop\EtEskr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeWindow detected: Number of UI elements: 21
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeWindow detected: Number of UI elements: 21
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeDirectory created: C:\Program Files\dotnetJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeDirectory created: C:\Program Files\dotnet\swidtagJump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeDirectory created: C:\Program Files\dotnet\swidtag\Microsoft .NET Runtime - 8.0.8 (x64).swidtagJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\sharedJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.AppJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8Jump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceProcess.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Channels.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.ThreadPool.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Algorithms.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Claims.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Annotations.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.AccessControl.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.EventBasedAsync.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrgc.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ValueTuple.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Formatters.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore_amd64_amd64_8.0.824.36612.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Uri.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.Lightweight.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.JavaScript.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.DataAnnotations.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Specialized.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Mail.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordbi.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.FileSystem.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Console.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.SecureString.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Requests.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.DataSetExtensions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.RegularExpressions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Parallel.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorlib.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Reader.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.DataContractSerialization.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.OpenSsl.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.XDocument.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Extensions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Intrinsics.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebProxy.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.StackTrace.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encodings.Web.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.Common.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Numerics.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Thread.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\.versionJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Metadata.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.Windows.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.ReaderWriter.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Core.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Linq.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.Linq.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Configuration.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.Core.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.VisualC.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\netstandard.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XDocument.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.NETCore.App.runtimeconfig.jsonJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Tar.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.CoreLib.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.ILGeneration.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.NETCore.App.deps.jsonJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.CodePages.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Encoding.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.FileVersionInfo.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.ZipFile.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.AccessControl.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.Vectors.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.Local.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Xml.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.DispatchProxy.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Writer.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.AppContext.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Expressions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.Extensions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Registry.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlSerializer.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceModel.Web.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Parallel.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Security.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Brotli.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Serialization.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Calendars.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Process.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NetworkInformation.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.DiaSymReader.Native.amd64.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\coreclr.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Buffers.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NameResolution.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Asn1.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.Json.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Immutable.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Queryable.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Ping.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.HttpListener.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Watcher.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.MemoryMappedFiles.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Quic.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Json.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Memory.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Extensions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.AccessControl.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Timer.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Debug.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.ResourceManager.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TraceSource.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.UnmanagedMemoryStream.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.CSharp.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\WindowsBase.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Concurrent.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Windows.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.TypeExtensions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebClient.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Contracts.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Extensions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Loader.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.Client.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebHeaderCollection.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Sockets.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.NonGeneric.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clretwrc.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.ServicePoint.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tracing.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Handles.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Extensions.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.DriveInfo.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Overlapped.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Primitives.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ObjectModel.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.X509Certificates.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.TypeConverter.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlDocument.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\createdump.exeJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Cng.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Dynamic.Runtime.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.IsolatedStorage.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\msquic.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Native.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\hostpolicy.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.DiagnosticSource.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.HttpUtility.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tools.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Csp.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorrc.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Json.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Dataflow.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrjit.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\hostJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxrJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\8.0.8Jump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\8.0.8\hostfxr.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\dotnet.exeJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
          Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\ThirdPartyNotices.txtJump to behavior
          Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA}Jump to behavior
          Source: EtEskr.exeStatic file information: File size 28779520 > 1048576
          Source: EtEskr.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1b5ce00
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: System.Threading.Thread.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Globalization.Calendars/Release/net8.0-windows/System.Globalization.Calendars.pdbSHA256y source: System.Globalization.Calendars.dll.7.dr
          Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB4yU: source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ComponentModel.ni.pdb source: System.ComponentModel.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256UR= source: System.Threading.Thread.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlSerializer\Release\net8.0\System.Xml.XmlSerializer.pdb source: System.Xml.XmlSerializer.dll.7.dr
          Source: Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: System.IO.FileSystem.DriveInfo.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\hostpolicy\standalone\hostpolicy.pdb|||GCTL source: EtEskrivare.exe, 0000000F.00000002.1816730458.00007FF8F85C5000.00000002.00000001.01000000.00000012.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdb source: System.Reflection.Emit.Lightweight.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net8.0\System.Diagnostics.Contracts.pdbSHA256 source: System.Diagnostics.Contracts.dll.7.dr
          Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdbSHA256 source: netstandard.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: System.Security.Cryptography.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: EtEskrivare.exe, 0000000F.00000002.1809798300.000001E915FD2000.00000002.00000001.01000000.00000021.sdmp
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsG source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621532910.00000000005A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initializecriptions8}\.be\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROW\REGISTRY\\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_InitializeATH=\Users\t source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618442951.0000000000246000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\Release\net8.0\System.Runtime.Serialization.Json.pdb source: System.Runtime.Serialization.Json.dll.7.dr
          Source: Binary string: System.Net.Security.ni.pdb source: System.Net.Security.dll.7.dr
          Source: Binary string: /_/artifacts/obj/mscorlib/Release/net8.0-windows/mscorlib.pdbSHA256 source: mscorlib.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscoree\coreclr\coreclr.pdb source: EtEskrivare.exe, 0000000F.00000002.1814506995.00007FF8E656F000.00000002.00000001.01000000.00000013.sdmp, coreclr.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: System.Collections.NonGeneric.dll.7.dr
          Source: Binary string: System.Net.Http.Json.ni.pdb source: System.Net.Http.Json.dll.7.dr
          Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drive\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_InitializeTRING=Defaul" source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621532910.00000000005A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Formats.Tar.ni.pdb source: System.Formats.Tar.dll.7.dr
          Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBZ source: powershell.exe, 00000011.00000002.1774953336.00000133B4F50000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: System.Net.Primitives.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdb source: System.Dynamic.Runtime.dll.7.dr
          Source: Binary string: System.Collections.Specialized.ni.pdb source: System.Collections.Specialized.dll.7.dr
          Source: Binary string: fuDLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86// source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdb source: System.Reflection.Extensions.dll.7.dr
          Source: Binary string: ~ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815663224.00007FF8F0D01000.00000020.00000001.01000000.0000001A.sdmp
          Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA8E} {A5C335EB-CE59-4F47-9169-F2843E8F963C} 7076C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows>yT1 source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdbSHA256 source: System.Diagnostics.Tools.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Resources.Reader/Release/net8.0-windows/System.Resources.Reader.pdb source: System.Resources.Reader.dll.7.dr
          Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\WixDepCA.pdb source: 475f70.msi.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Requests\Release\net8.0-windows\System.Net.Requests.pdbSHA256@ source: System.Net.Requests.dll.7.dr
          Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBs source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618799073.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618160355.00000000004EF000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp
          Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB?yT0 source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel\Release\net8.0\System.ComponentModel.pdb source: System.ComponentModel.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdbSHA256 source: System.Net.ServicePoint.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdbSHA256 source: EtEskrivare.exe, 0000000F.00000002.1809939574.000001E9160F2000.00000002.00000001.01000000.00000022.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdbSHA256 source: System.Reflection.Emit.Lightweight.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\fxr\standalone\hostfxr.pdb source: EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.dr
          Source: Binary string: System.Threading.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815663224.00007FF8F0D01000.00000020.00000001.01000000.0000001A.sdmp
          Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdbSHA256T/ source: System.Dynamic.Runtime.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Requests\Release\net8.0-windows\System.Net.Requests.pdb source: System.Net.Requests.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815219735.00007FF8E8551000.00000020.00000001.01000000.0000001B.sdmp
          Source: Binary string: System.Net.ServicePoint.ni.pdb source: System.Net.ServicePoint.dll.7.dr
          Source: Binary string: System.Threading.Channels.ni.pdb source: System.Threading.Channels.dll.7.dr
          Source: Binary string: C:\Users\revse\source\repos\EtEskrivare\EtEskrivare\obj\Debug\net8.0\EtEskrivare.pdbSHA256 source: EtEskrivare.exe, 0000000F.00000002.1809730222.000001E915FC2000.00000002.00000001.01000000.00000020.sdmp
          Source: Binary string: /_/artifacts/obj/System.ValueTuple/Release/net8.0-windows/System.ValueTuple.pdb source: System.ValueTuple.dll.7.dr
          Source: Binary string: System.Drawing.Primitives.ni.pdb source: System.Drawing.Primitives.dll.7.dr
          Source: Binary string: System.Net.NetworkInformation.ni.pdb source: System.Net.NetworkInformation.dll.7.dr
          Source: Binary string: System.Reflection.Emit.ni.pdb source: System.Reflection.Emit.dll.7.dr
          Source: Binary string: ming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell6{\3 source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616512485.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617142082.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Net.WebProxy.ni.pdb source: System.Net.WebProxy.dll.7.dr
          Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows] source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816850376.00007FF8F8BB1000.00000020.00000001.01000000.00000017.sdmp, System.ComponentModel.Primitives.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: System.Net.NetworkInformation.dll.7.dr
          Source: Binary string: Microsoft.VisualBasic.Core.ni.pdb source: Microsoft.VisualBasic.Core.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Formats.Tar\Release\net8.0-windows\System.Formats.Tar.pdb source: System.Formats.Tar.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdb source: System.Configuration.dll.7.dr
          Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsp source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617377212.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Text.Encoding/Release/net8.0-windows/System.Text.Encoding.pdb source: System.Text.Encoding.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlSerializer\Release\net8.0\System.Xml.XmlSerializer.pdbSHA256 source: System.Xml.XmlSerializer.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: System.Net.Security.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdbSHA256 source: System.IO.Pipes.AccessControl.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdb source: System.Threading.Timer.dll.7.dr
          Source: Binary string: C:\Users\user\AppData\Roaming\ETESKR~1.PDB source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ~:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppD source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows2zT> source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816088461.00007FF8F8371000.00000020.00000001.01000000.00000016.sdmp
          Source: Binary string: C:\__w\1\s\artifacts\bin\windows\x64_Release_schannel\msquic.pdb source: msquic.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdb source: System.Diagnostics.Debug.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb source: mscorrc.dll.7.dr
          Source: Binary string: System.Memory.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815410566.00007FF8E8571000.00000020.00000001.01000000.00000019.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: EtEskrivare.exe, 0000000F.00000002.1809939574.000001E9160F2000.00000002.00000001.01000000.00000022.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: System.Net.Security.dll.7.dr
          Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows4 source: powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: le4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(& source: EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146FC000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebProxy\Release\net8.0\System.Net.WebProxy.pdb source: System.Net.WebProxy.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets.Client\Release\net8.0\System.Net.WebSockets.Client.pdb source: System.Net.WebSockets.Client.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http.Json\Release\net8.0\System.Net.Http.Json.pdb source: System.Net.Http.Json.dll.7.dr
          Source: Binary string: System.Runtime.InteropServices.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815219735.00007FF8E8551000.00000020.00000001.01000000.0000001B.sdmp
          Source: Binary string: /_/artifacts/obj/System.IO.Compression.FileSystem/Release/net8.0-windows/System.IO.Compression.FileSystem.pdbSHA256 source: System.IO.Compression.FileSystem.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\fxr\standalone\hostfxr.pdbxxxGCTL source: EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdbSHA256l8 source: System.Configuration.dll.7.dr
          Source: Binary string: System.Net.WebSockets.ni.pdb source: System.Net.WebSockets.dll.7.dr
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: powershell.exe, 00000011.00000002.1799843422.00000133CEECF000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616512485.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617142082.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Console.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815869712.00007FF8F82D1000.00000020.00000001.01000000.00000018.sdmp, System.Console.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: EtEskrivare.exe, 0000000F.00000002.1809798300.000001E915FD2000.00000002.00000001.01000000.00000021.sdmp
          Source: Binary string: System.IO.FileSystem.AccessControl.ni.pdb source: System.IO.FileSystem.AccessControl.dll.7.dr
          Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1622037561.00000000025A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619628146.0000000002780000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618799073.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618160355.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617377212.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146F6000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1810043122.000001E916114000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1799843422.00000133CEE90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775778757.00000133B6AC3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1774953336.00000133B4F50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775529567.00000133B5140000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbmmmGCTL source: EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp
          Source: Binary string: \Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617377212.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdb source: System.Net.ServicePoint.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdb source: System.Drawing.Primitives.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: System.Security.Principal.Windows.dll.7.dr
          Source: Binary string: C:\Users\revse\source\repos\EtEskrivare\EtEskrivare\obj\Debug\net8.0\EtEskrivare.pdb source: EtEskrivare.exe, 0000000F.00000002.1809730222.000001E915FC2000.00000002.00000001.01000000.00000020.sdmp
          Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/Release/net8.0-windows/System.Security.Cryptography.Cng.pdbSHA256& source: System.Security.Cryptography.Cng.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebProxy\Release\net8.0\System.Net.WebProxy.pdbSHA256 source: System.Net.WebProxy.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Resources.Reader/Release/net8.0-windows/System.Resources.Reader.pdbSHA256 source: System.Resources.Reader.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdb source: System.IO.Pipes.AccessControl.dll.7.dr
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsb{ source: powershell.exe, 00000011.00000002.1799843422.00000133CEF3A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: System.Runtime.InteropServices.RuntimeInformation.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\Release\net8.0\System.Runtime.Serialization.Json.pdbSHA256PT# source: System.Runtime.Serialization.Json.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Globalization.Calendars/Release/net8.0-windows/System.Globalization.Calendars.pdb source: System.Globalization.Calendars.dll.7.dr
          Source: Binary string: /_/artifacts/obj/mscorlib/Release/net8.0-windows/mscorlib.pdb source: mscorlib.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/Release/net8.0-windows/System.Security.Cryptography.Cng.pdb source: System.Security.Cryptography.Cng.dll.7.dr
          Source: Binary string: System.Reflection.DispatchProxy.ni.pdb source: System.Reflection.DispatchProxy.dll.7.dr
          Source: Binary string: System.Security.Principal.Windows.ni.pdb source: System.Security.Principal.Windows.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.IO.Compression.FileSystem/Release/net8.0-windows/System.IO.Compression.FileSystem.pdb source: System.IO.Compression.FileSystem.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: System.Net.NameResolution.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.ValueTuple/Release/net8.0-windows/System.ValueTuple.pdbSHA256b source: System.ValueTuple.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Xml.XmlDocument/Release/net8.0-windows/System.Xml.XmlDocument.pdbSHA256 source: System.Xml.XmlDocument.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256?) source: System.Runtime.InteropServices.RuntimeInformation.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdbSHA256F source: System.Reflection.Extensions.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.DispatchProxy\Release\net8.0\System.Reflection.DispatchProxy.pdb source: System.Reflection.DispatchProxy.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdb source: System.Diagnostics.Tools.dll.7.dr
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsc` source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616305982.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Private.CoreLib.ni.pdb source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp
          Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\wixca.pdb source: 475f70.msi.7.dr
          Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=664 -burn.filehandle.self=692 /qC:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Net.WebSockets.Client.ni.pdb source: System.Net.WebSockets.Client.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdbSHA256 source: System.ComponentModel.TypeConverter.dll.7.dr
          Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\uica.pdb source: 475f70.msi.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdb source: System.Reflection.Emit.ILGeneration.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Threading.Tasks/Release/net8.0-windows/System.Threading.Tasks.pdbSHA256 source: System.Threading.Tasks.dll.7.dr
          Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\burn.pdb source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000000.1461134092.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000000.1462308540.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1471849358.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000000.1468484307.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1616930829.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000002.1571261458.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000000.1566788944.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000000.1569512535.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000002.1677887533.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675238127.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000000.1570510009.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000000.1661713635.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000002.1673797690.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe.5.dr
          Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: EtEskrivare.exe, 0000000F.00000002.1810043122.000001E916114000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.AccessControl\Release\net8.0-windows\System.IO.FileSystem.AccessControl.pdb source: System.IO.FileSystem.AccessControl.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets\Release\net8.0-windows\System.Net.WebSockets.pdb source: System.Net.WebSockets.dll.7.dr
          Source: Binary string: dotnet-runtime-8.0.8-win-x64.exe:32:*28453093*EtEskrivare.deps.json:32:*222*EtEskrivare.dll:32:*2409*EtEskrivare.exe:32:*63645*EtEskrivare.pdb:32:*6414*EtEskrivare.runtimeconfig.json:32:*195*L source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: EtEskrivare.pdb source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.DispatchProxy\Release\net8.0\System.Reflection.DispatchProxy.pdbSHA256 source: System.Reflection.DispatchProxy.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TraceSource\Release\net8.0\System.Diagnostics.TraceSource.pdb source: System.Diagnostics.TraceSource.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815410566.00007FF8E8571000.00000020.00000001.01000000.00000019.sdmp
          Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: powershell.exe, 00000011.00000002.1775778757.00000133B6AC3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdb source: netstandard.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Data.DataSetExtensions/Release/net8.0-windows/System.Data.DataSetExtensions.pdbSHA256 source: System.Data.DataSetExtensions.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\hostpolicy\standalone\hostpolicy.pdb source: EtEskrivare.exe, 0000000F.00000002.1816730458.00007FF8F85C5000.00000002.00000001.01000000.00000012.sdmp
          Source: Binary string: System.Net.NameResolution.ni.pdb source: System.Net.NameResolution.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdb source: System.ComponentModel.TypeConverter.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Data.DataSetExtensions/Release/net8.0-windows/System.Data.DataSetExtensions.pdb source: System.Data.DataSetExtensions.dll.7.dr
          Source: Binary string: ncfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Use4 source: powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Reflection/Release/net8.0-windows/System.Reflection.pdb source: System.Reflection.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: System.Collections.Specialized.dll.7.dr
          Source: Binary string: DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFil source: powershell.exe, 00000011.00000002.1775529567.00000133B5140000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsrs\userwindir=C:\WindowsdowsdowsK source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618442951.0000000000240000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdbSHA256 source: System.Threading.Timer.dll.7.dr
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsrs\userwindir=C:\Windowsdowsdows source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1616774708.0000000000C70000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Text.Encodings.Web.ni.pdb source: System.Text.Encodings.Web.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\gc\clrgc.pdbMMMGCTL source: clrgc.dll.7.dr
          Source: Binary string: System.Diagnostics.TraceSource.ni.pdb source: System.Diagnostics.TraceSource.dll.7.dr
          Source: Binary string: C:\__w\1\s\artifacts\bin\windows\x64_Release_schannel\msquic.pdbbb6bUGP source: msquic.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: System.IO.FileSystem.DriveInfo.dll.7.dr
          Source: Binary string: C:\Users\user\AppData\Roaming\EtEskrivare.pdb source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E60000.00000004.00000020.00020000.00000000.sdmp, EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Diagnostics.Process.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816088461.00007FF8F8371000.00000020.00000001.01000000.00000016.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit\Release\net8.0\System.Reflection.Emit.pdb source: System.Reflection.Emit.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.AccessControl\Release\net8.0-windows\System.Security.AccessControl.pdb source: System.Security.AccessControl.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.VisualBasic.Core\Release\net8.0-windows\Microsoft.VisualBasic.Core.pdb source: Microsoft.VisualBasic.Core.dll.7.dr
          Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\burn.pdb4 source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000000.1461134092.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000000.1462308540.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1471849358.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000000.1468484307.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1616930829.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000002.1571261458.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000000.1566788944.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000000.1569512535.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000002.1677887533.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675238127.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000000.1570510009.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000000.1661713635.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000002.1673797690.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe.5.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815869712.00007FF8F82D1000.00000020.00000001.01000000.00000018.sdmp, System.Console.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Text.Encoding/Release/net8.0-windows/System.Text.Encoding.pdbSHA256r source: System.Text.Encoding.dll.7.dr
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146F0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Collections.NonGeneric.ni.pdb source: System.Collections.NonGeneric.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Threading.Tasks/Release/net8.0-windows/System.Threading.Tasks.pdb source: System.Threading.Tasks.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp
          Source: Binary string: \Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsZ source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1622037561.00000000025A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146FC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1774953336.00000133B4F50000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: :\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppD source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Security.Cryptography.ni.pdb source: System.Security.Cryptography.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Data.Common\Release\net8.0\System.Data.Common.pdb source: System.Data.Common.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net8.0\System.Diagnostics.Contracts.pdb source: System.Diagnostics.Contracts.dll.7.dr
          Source: Binary string: System.ComponentModel.TypeConverter.ni.pdb source: System.ComponentModel.TypeConverter.dll.7.dr
          Source: Binary string: System.Net.Requests.ni.pdb source: System.Net.Requests.dll.7.dr
          Source: Binary string: /_/artifacts/obj/System.Reflection/Release/net8.0-windows/System.Reflection.pdbSHA256 source: System.Reflection.dll.7.dr
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsRo` source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Channels\Release\net8.0\System.Threading.Channels.pdb source: System.Threading.Channels.dll.7.dr
          Source: Binary string: \Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsx source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619628146.0000000002780000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\gc\clrgc.pdb source: clrgc.dll.7.dr
          Source: Binary string: :\Users\user\AppData\Roaming\ETESKR~1.PDB source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdb source: System.Text.Encodings.Web.dll.7.dr
          Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppD source: powershell.exe, 00000011.00000002.1801555679.00000133CF208000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Xml.XmlDocument/Release/net8.0-windows/System.Xml.XmlDocument.pdb source: System.Xml.XmlDocument.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdbSHA256 source: System.Reflection.Emit.ILGeneration.dll.7.dr
          Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1622037561.00000000025A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619628146.0000000002780000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816850376.00007FF8F8BB1000.00000020.00000001.01000000.00000017.sdmp, System.ComponentModel.Primitives.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\jit\clrjit.pdb source: EtEskrivare.exe, 0000000F.00000002.1816366531.00007FF8F8525000.00000002.00000001.01000000.00000015.sdmp
          Source: Binary string: System.Security.AccessControl.ni.pdb source: System.Security.AccessControl.dll.7.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA256^ source: EtEskrivare.exe, 0000000F.00000002.1810003310.000001E916102000.00000002.00000001.01000000.00000023.sdmp
          Source: Binary string: C:\Users\user\AppData\Roaming\C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exedotnet-runtime-8.0.8-win-x64.exe /qC:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowso source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdbSHA256 source: System.Diagnostics.Debug.dll.7.dr
          Source: Binary string: System.Data.Common.ni.pdb source: System.Data.Common.dll.7.dr
          Source: Binary string: ::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet E source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616512485.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617142082.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: EtEskrivare.exe, 0000000F.00000002.1810003310.000001E916102000.00000002.00000001.01000000.00000023.sdmp
          Source: Binary string: System.Net.Primitives.ni.pdb source: System.Net.Primitives.dll.7.dr

          Data Obfuscation

          barindex
          Detected unpacking (overwrites its own PE header)
          Source: C:\Users\user\Desktop\EtEskr.exeUnpacked PE file: 0.2.EtEskr.exe.400000.0.unpack
          Yara detected Babadeda
          Source: Yara matchFile source: EtEskr.exe, type: SAMPLE
          Source: EtEskrivare.dll.0.drStatic PE information: 0x88F8F208 [Mon Oct 27 09:51:04 2042 UTC]
          Source: C:\Users\user\Desktop\EtEskr.exeCode function: 0_2_0040A83A LoadLibraryW,GetProcAddress,wcscpy,wcscat,wcslen,CoTaskMemFree,FreeLibrary,wcscat,wcslen,0_2_0040A83A
          Source: EtEskr.exeStatic PE information: section name: .code
          Source: dotnet-runtime-8.0.8-win-x64.exe.0.drStatic PE information: section name: .wixburn
          Source: dotnet-runtime-8.0.8-win-x64.exe.4.drStatic PE information: section name: .wixburn
          Source: dotnet-runtime-8.0.8-win-x64.exe.5.drStatic PE information: section name: .wixburn
          Source: dotnet-runtime-8.0.8-win-x64.exe.6.drStatic PE information: section name: .wixburn
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AC0BC6 push ecx; ret 4_2_00AC0BD9
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00ADCD63 push ecx; ret 4_2_00ADCD76
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003C0BC6 push ecx; ret 5_2_003C0BD9
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003DCD63 push ecx; ret 5_2_003DCD76
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D70BC6 push ecx; ret 6_2_00D70BD9
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D8CD63 push ecx; ret 6_2_00D8CD76
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D90BC6 push ecx; ret 9_2_00D90BD9
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00DACD63 push ecx; ret 9_2_00DACD76
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8E857286C push rsi; iretd 15_2_00007FF8E857286F
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8E8573481 push rdi; retf 15_2_00007FF8E8573494
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F82D3630 push rax; iretd 15_2_00007FF8F82D3631
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F82D21F8 push rcx; retf 15_2_00007FF8F82D2223
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8373A76 push rax; iretd 15_2_00007FF8F8373A79
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F837150C push rax; retf 0000h15_2_00007FF8F837150D
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F83F50F4 push 2B41000Eh; iretd 15_2_00007FF8F83F50F9
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F8584A1B pushfq ; retf 15_2_00007FF8F8584A27
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5CCCF6 push rbp; retf 15_2_00007FF8FF5CCCF9
          Source: System.Text.Encoding.CodePages.dll.7.drStatic PE information: section name: .text entropy: 7.522662314992507
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Linq.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tools.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\netstandard.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8E25.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Overlapped.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\coreclr.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Uri.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Contracts.dllJump to dropped file
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeFile created: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Specialized.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.TypeConverter.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.DiagnosticSource.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Claims.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.Json.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.ZipFile.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorlib.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\WindowsBase.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NetworkInformation.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NameResolution.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.CSharp.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.IsolatedStorage.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.ThreadPool.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Windows.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.HttpUtility.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Reader.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Csp.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XDocument.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrgc.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Memory.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Native.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Dataflow.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Writer.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Queryable.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Formatters.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Timer.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.Vectors.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Extensions.dllJump to dropped file
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeFile created: C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\wixstdba.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Parallel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.DiaSymReader.Native.amd64.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.FileVersionInfo.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Handles.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.Lightweight.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TraceSource.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore_amd64_amd64_8.0.824.36612.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Registry.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encodings.Web.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Channels.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.DataAnnotations.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.CoreLib.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.OpenSsl.dllJump to dropped file
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeFile created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Numerics.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\hostpolicy.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.AppContext.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.Common.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ValueTuple.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Requests.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\dotnet.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Cng.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.Local.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.X509Certificates.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.Client.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Configuration.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.AccessControl.dllJump to dropped file
          Source: C:\Users\user\Desktop\EtEskr.exeFile created: C:\Users\user\AppData\Roaming\EtEskrivare.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Algorithms.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Asn1.dllJump to dropped file
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeFile created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\wixstdba.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Buffers.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlDocument.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Ping.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorrc.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Concurrent.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.TypeExtensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordbi.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Immutable.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrjit.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceProcess.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Metadata.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebHeaderCollection.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Primitives.dllJump to dropped file
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeFile created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.AccessControl.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.StackTrace.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tracing.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clretwrc.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.HttpListener.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.SecureString.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Core.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.AccessControl.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebClient.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ObjectModel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.ILGeneration.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8B45.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Encoding.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Thread.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.Core.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.RegularExpressions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Calendars.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Json.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Tar.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.ResourceManager.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Parallel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Debug.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.NonGeneric.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.JavaScript.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.CodePages.dllJump to dropped file
          Source: C:\Users\user\Desktop\EtEskr.exeFile created: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Expressions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\createdump.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI642F.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.ReaderWriter.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.UnmanagedMemoryStream.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Annotations.dllJump to dropped file
          Source: C:\Users\user\Desktop\EtEskr.exeFile created: C:\Users\user\AppData\Roaming\EtEskrivare.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Process.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Xml.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.FileSystem.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.ServicePoint.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI87B7.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Intrinsics.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Sockets.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.Windows.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Dynamic.Runtime.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Watcher.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Mail.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Console.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.DataSetExtensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Loader.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.DispatchProxy.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Quic.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8902.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Json.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlSerializer.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Security.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\host\fxr\8.0.8\hostfxr.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.Linq.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Brotli.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.EventBasedAsync.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceModel.Web.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.DataContractSerialization.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebProxy.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI814E.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\msquic.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.XDocument.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.MemoryMappedFiles.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Serialization.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.DriveInfo.dllJump to dropped file
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeFile created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeJump to dropped file
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeFile created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\wixstdba.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI814E.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI642F.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8B45.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8E25.tmpJump to dropped file
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeFile created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8902.tmpJump to dropped file
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeFile created: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI87B7.tmpJump to dropped file
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeFile created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\eula.rtfJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeFile created: C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\eula.rtf
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802}Jump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802}Jump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802}Jump to behavior
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802}Jump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802}
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802}
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802}
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802}

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\EtEskr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeMemory allocated: 1E915FA0000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F848A4B0 rdtsc 15_2_00007FF8F848A4B0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\EtEskr.exeWindow / User API: threadDelayed 1029Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5881
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3765
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Linq.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tools.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\netstandard.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Overlapped.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8E25.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\coreclr.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Uri.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Contracts.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Specialized.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.TypeConverter.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.DiagnosticSource.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Claims.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.Json.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.ZipFile.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorlib.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\WindowsBase.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NetworkInformation.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.IsolatedStorage.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.CSharp.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NameResolution.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.ThreadPool.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Windows.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.HttpUtility.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Reader.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Csp.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XDocument.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrgc.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Memory.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Native.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Dataflow.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Writer.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Queryable.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Formatters.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Timer.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.Vectors.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Extensions.dllJump to dropped file
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\wixstdba.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Parallel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.DiaSymReader.Native.amd64.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.FileVersionInfo.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Handles.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TraceSource.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.Lightweight.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Registry.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore_amd64_amd64_8.0.824.36612.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encodings.Web.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Channels.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.DataAnnotations.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.OpenSsl.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.CoreLib.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Numerics.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\hostpolicy.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.AppContext.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.Common.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Requests.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ValueTuple.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\dotnet.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Cng.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.Local.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.X509Certificates.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.Client.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Configuration.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.AccessControl.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Algorithms.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Asn1.dllJump to dropped file
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeDropped PE file which has not been started: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\wixstdba.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Buffers.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlDocument.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorrc.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Ping.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Concurrent.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.TypeExtensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordbi.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Immutable.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrjit.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceProcess.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Metadata.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebHeaderCollection.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.AccessControl.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.StackTrace.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tracing.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clretwrc.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.HttpListener.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.SecureString.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Core.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.AccessControl.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebClient.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ObjectModel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.ILGeneration.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8B45.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Encoding.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Thread.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.Core.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.RegularExpressions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Calendars.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Json.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Tar.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Parallel.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.ResourceManager.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Debug.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.NonGeneric.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.JavaScript.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.CodePages.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Expressions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\createdump.exeJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.ReaderWriter.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI642F.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.UnmanagedMemoryStream.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Annotations.dllJump to dropped file
          Source: C:\Users\user\Desktop\EtEskr.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\EtEskrivare.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Process.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Xml.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.FileSystem.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.ServicePoint.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Intrinsics.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI87B7.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Sockets.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Dynamic.Runtime.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.Windows.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Watcher.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Mail.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Console.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.DataSetExtensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Loader.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.DispatchProxy.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Quic.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8902.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Json.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlSerializer.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\host\fxr\8.0.8\hostfxr.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Security.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.Linq.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Brotli.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.EventBasedAsync.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Extensions.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceModel.Web.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.DataContractSerialization.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebProxy.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI814E.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\msquic.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Primitives.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.XDocument.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.MemoryMappedFiles.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.DriveInfo.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.dllJump to dropped file
          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Serialization.dllJump to dropped file
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeEvaded block: after key decision
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeEvaded block: after key decision
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeEvaded block: after key decision
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeEvasive API call chain: GetLocalTime,DecisionNodes
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeAPI coverage: 9.1 %
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeAPI coverage: 5.9 %
          Source: C:\Users\user\Desktop\EtEskr.exe TID: 6440Thread sleep count: 1029 > 30Jump to behavior
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe TID: 4984Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 800Thread sleep count: 5881 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 800Thread sleep count: 3765 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3412Thread sleep time: -5534023222112862s >= -30000s
          Source: C:\Users\user\Desktop\EtEskr.exeThread sleep count: Count: 1029 delay: -25Jump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AD506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00AD5108h4_2_00AD506D
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AD506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00AD5101h4_2_00AD506D
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003D506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 003D5108h5_2_003D506D
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003D506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 003D5101h5_2_003D506D
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D8506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00D85108h6_2_00D8506D
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D8506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00D85101h6_2_00D8506D
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00DA506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00DA5108h9_2_00DA506D
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00DA506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00DA5101h9_2_00DA506D
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00A91700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,4_2_00A91700
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00A93B2C FindFirstFileW,FindClose,4_2_00A93B2C
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00ACC1FB FindFirstFileExW,4_2_00ACC1FB
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AAB79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose,4_2_00AAB79F
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_00391700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,5_2_00391700
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003AB79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose,5_2_003AB79F
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_00393B2C FindFirstFileW,FindClose,5_2_00393B2C
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003CC1FB FindFirstFileExW,5_2_003CC1FB
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D5B79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose,6_2_00D5B79F
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D41700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,6_2_00D41700
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D43B2C FindFirstFileW,FindClose,6_2_00D43B2C
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D7C1FB FindFirstFileExW,6_2_00D7C1FB
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D63B2C FindFirstFileW,FindClose,9_2_00D63B2C
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D9C1FB FindFirstFileExW,9_2_00D9C1FB
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D7B79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose,9_2_00D7B79F
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D61700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,9_2_00D61700
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF66CB2CD20 GetFileAttributesExW,GetFullPathNameW,GetFullPathNameW,_invalid_parameter_noinfo_noreturn,GetFileAttributesExW,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,Concurrency::cancel_current_task,15_2_00007FF66CB2CD20
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85B0910 FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,15_2_00007FF8F85B0910
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5C58B0 FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,15_2_00007FF8FF5C58B0
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00ABFC6A VirtualQuery,GetSystemInfo,4_2_00ABFC6A
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\EtEskr.exeFile opened: C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp\4C82.tmpJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeFile opened: C:\Users\user\AppData\Jump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeFile opened: C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmpJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeFile opened: C:\Users\user\AppData\Local\Temp\4C80.tmpJump to behavior
          Source: C:\Users\user\Desktop\EtEskr.exeFile opened: C:\Users\user\Jump to behavior
          Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
          Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674487308.00000000013D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}V
          Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeAPI call chain: ExitProcess graph end node
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeAPI call chain: ExitProcess graph end node
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F848A4B0 rdtsc 15_2_00007FF8F848A4B0
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AC8567 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00AC8567
          Source: C:\Users\user\Desktop\EtEskr.exeCode function: 0_2_0040A83A LoadLibraryW,GetProcAddress,wcscpy,wcscat,wcslen,CoTaskMemFree,FreeLibrary,wcscat,wcslen,0_2_0040A83A
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AC98C7 mov ecx, dword ptr fs:[00000030h]4_2_00AC98C7
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00ACCFDC mov eax, dword ptr fs:[00000030h]4_2_00ACCFDC
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003C98C7 mov ecx, dword ptr fs:[00000030h]5_2_003C98C7
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003CCFDC mov eax, dword ptr fs:[00000030h]5_2_003CCFDC
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D798C7 mov ecx, dword ptr fs:[00000030h]6_2_00D798C7
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D7CFDC mov eax, dword ptr fs:[00000030h]6_2_00D7CFDC
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D998C7 mov ecx, dword ptr fs:[00000030h]9_2_00D998C7
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D9CFDC mov eax, dword ptr fs:[00000030h]9_2_00D9CFDC
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00A950E9 GetProcessHeap,RtlAllocateHeap,4_2_00A950E9
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\EtEskr.exeCode function: 0_2_00409950 SetUnhandledExceptionFilter,0_2_00409950
          Source: C:\Users\user\Desktop\EtEskr.exeCode function: 0_2_00409930 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,0_2_00409930
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AC0469 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00AC0469
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AC8567 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00AC8567
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AC0934 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00AC0934
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AC0AC7 SetUnhandledExceptionFilter,4_2_00AC0AC7
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003C0469 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_003C0469
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003C8567 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_003C8567
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003C0934 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_003C0934
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeCode function: 5_2_003C0AC7 SetUnhandledExceptionFilter,5_2_003C0AC7
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D70469 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00D70469
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D78567 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00D78567
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D70934 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00D70934
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeCode function: 6_2_00D70AC7 SetUnhandledExceptionFilter,6_2_00D70AC7
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D90469 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00D90469
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D98567 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00D98567
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D90934 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00D90934
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeCode function: 9_2_00D90AC7 SetUnhandledExceptionFilter,9_2_00D90AC7
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF66CB319C0 SetUnhandledExceptionFilter,15_2_00007FF66CB319C0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF66CB3167C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00007FF66CB3167C
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF66CB3181C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00007FF66CB3181C
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F84C3DA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00007FF8F84C3DA0
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85BD9BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00007FF8F85BD9BC
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8F85BDB54 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00007FF8F85BDB54
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5D3FDC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00007FF8FF5D3FDC
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeCode function: 15_2_00007FF8FF5D3E2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00007FF8FF5D3E2C
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Bypasses PowerShell execution policy
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT "
          Source: C:\Users\user\Desktop\EtEskr.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp\4C82.bat C:\Users\user\Desktop\EtEskr.exe"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe dotnet-runtime-8.0.8-win-x64.exe /qJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\EtEskrivare.exe EtEskrivare.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeProcess created: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe "C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=664 -burn.filehandle.self=692 /qJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeProcess created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe "C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA8E} {A5C335EB-CE59-4F47-9169-F2843E8F963C} 7076Jump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeProcess created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550.log"
          Source: C:\Users\user\AppData\Roaming\EtEskrivare.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT "
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeProcess created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "c:\programdata\package cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="c:\programdata\package cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548 /quiet /burn.log.append "c:\users\user\appdata\local\temp\microsoft_.net_runtime_-_8.0.8_(x64)_20241003092550.log"
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeProcess created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "c:\programdata\package cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="c:\programdata\package cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548 /quiet /burn.log.append "c:\users\user\appdata\local\temp\microsoft_.net_runtime_-_8.0.8_(x64)_20241003092550.log"
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AD5D9B InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,4_2_00AD5D9B
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AD80B4 AllocateAndInitializeSid,CheckTokenMembership,4_2_00AD80B4
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AC0CF7 cpuid 4_2_00AC0CF7
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeQueries volume information: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\bg.png VolumeInformationJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeQueries volume information: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\bg.png VolumeInformationJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeQueries volume information: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\bg.png VolumeInformationJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeQueries volume information: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\bg.png VolumeInformationJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeQueries volume information: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\bg.png VolumeInformationJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeQueries volume information: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\bg.png VolumeInformationJump to behavior
          Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeQueries volume information: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\bg.png VolumeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\bg.png VolumeInformation
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\bg.png VolumeInformation
          Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\bg.png VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AA6BA2 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,4_2_00AA6BA2
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00AD506D EnterCriticalSection,GetCurrentProcessId,GetCurrentThreadId,GetLocalTime,LeaveCriticalSection,4_2_00AD506D
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00A97E8C GetUserNameW,GetLastError,4_2_00A97E8C
          Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeCode function: 4_2_00ADBE87 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,4_2_00ADBE87
          Source: C:\Users\user\Desktop\EtEskr.exeCode function: 0_2_0040559A GetVersionExW,GetVersionExW,0_2_0040559A
          Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		1
          Replication Through Removable Media          		4
          Native API          		1
          Scripting          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		OS Credential Dumping12
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts13
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory11
          Peripheral Device Discovery          		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Service Execution          		2
          Windows Service          		2
          Windows Service          		3
          Obfuscated Files or Information          		Security Account Manager1
          Account Discovery          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts1
          PowerShell          		1
          Registry Run Keys / Startup Folder          		12
          Process Injection          		11
          Software Packing          		NTDS3
          File and Directory Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          Registry Run Keys / Startup Folder          		1
          Timestomp          		LSA Secrets26
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials1
          Query Registry          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          File Deletion          		DCSync31
          Security Software Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job23
          Masquerading          		Proc Filesystem1
          Process Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt41
          Virtualization/Sandbox Evasion          		/etc/passwd and /etc/shadow41
          Virtualization/Sandbox Evasion          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          Access Token Manipulation          		Network Sniffing1
          Application Window Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
          Process Injection          		Input Capture1
          System Owner/User Discovery          		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524996 Sample: EtEskr.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 80 76 Antivirus / Scanner detection for submitted sample 2->76 78 Yara detected Babadeda 2->78 80 Machine Learning detection for sample 2->80 82 Yara detected Generic Downloader 2->82 9 msiexec.exe 458 276 2->9         started        12 EtEskr.exe 14 2->12         started        15 dotnet-runtime-8.0.8-win-x64.exe 2->15         started        process3 file4 54 C:\Program Files\dotnet\...\netstandard.dll, PE32 9->54 dropped 56 C:\Program Files\dotnet\shared\...\System.dll, PE32 9->56 dropped 58 C:\Program Files\dotnet\...\System.Net.dll, PE32 9->58 dropped 66 186 other files (none is malicious) 9->66 dropped 17 msiexec.exe 9->17         started        19 msiexec.exe 9->19         started        21 msiexec.exe 9->21         started        60 C:\Users\user\AppData\...tEskrivare.exe, PE32+ 12->60 dropped 62 C:\Users\...\dotnet-runtime-8.0.8-win-x64.exe, PE32 12->62 dropped 64 C:\Users\user\AppData\...tEskrivare.dll, PE32 12->64 dropped 88 Detected unpacking (overwrites its own PE header) 12->88 23 cmd.exe 1 12->23         started        25 dotnet-runtime-8.0.8-win-x64.exe 15->25         started        signatures5 process6 process7 27 EtEskrivare.exe 23->27         started        30 dotnet-runtime-8.0.8-win-x64.exe 3 23->30         started        33 conhost.exe 23->33         started        35 dotnet-runtime-8.0.8-win-x64.exe 25->35         started        file8 86 Bypasses PowerShell execution policy 27->86 37 powershell.exe 27->37         started        40 conhost.exe 27->40         started        72 C:\...\dotnet-runtime-8.0.8-win-x64.exe, PE32 30->72 dropped 42 dotnet-runtime-8.0.8-win-x64.exe 46 30->42         started        74 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 35->74 dropped 45 dotnet-runtime-8.0.8-win-x64.exe 35->45         started        signatures9 process10 file11 84 Loading BitLocker PowerShell Module 37->84 47 conhost.exe 37->47         started        68 C:\...\dotnet-runtime-8.0.8-win-x64.exe, PE32 42->68 dropped 70 C:\Windows\Temp\...\wixstdba.dll, PE32 42->70 dropped 49 dotnet-runtime-8.0.8-win-x64.exe 28 16 42->49         started        signatures12 process13 file14 52 C:\...\dotnet-runtime-8.0.8-win-x64.exe, PE32 49->52 dropped

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          EtEskr.exe100%AviraHEUR/AGEN.1343578
          EtEskr.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files\dotnet\dotnet.exe0%ReversingLabs
          C:\Program Files\dotnet\host\fxr\8.0.8\hostfxr.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.CSharp.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.DiaSymReader.Native.amd64.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.Core.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Primitives.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Registry.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.AppContext.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Buffers.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Concurrent.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Immutable.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.NonGeneric.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Specialized.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Annotations.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.DataAnnotations.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.EventBasedAsync.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Primitives.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.TypeConverter.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Configuration.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Console.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Core.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.Common.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.DataSetExtensions.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Contracts.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Debug.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.DiagnosticSource.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.FileVersionInfo.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Process.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.StackTrace.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TextWriterTraceListener.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tools.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TraceSource.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tracing.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.Primitives.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Dynamic.Runtime.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Asn1.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Tar.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Calendars.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Extensions.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Brotli.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.FileSystem.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Native.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.ZipFile.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.AccessControl.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.DriveInfo.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Primitives.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Watcher.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.IsolatedStorage.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.MemoryMappedFiles.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.AccessControl.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.UnmanagedMemoryStream.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Expressions.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Parallel.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Queryable.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Memory.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.Json.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.HttpListener.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Mail.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NameResolution.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NetworkInformation.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Ping.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Primitives.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Quic.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Requests.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Security.dll0%ReversingLabs
          C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.ServicePoint.dll0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://nuget.org/nuget.exe0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://aka.ms/winsvr-2022-pshelp0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://github.com/mono/linker/issues/1731System.ComponentModel.TypeConverter.dll.7.dr, Microsoft.VisualBasic.Core.dll.7.dr, System.Reflection.DispatchProxy.dll.7.drfalse
            		unknown
            https://github.com/dotnet/runtime#~System.Threading.Tasks.dll.7.drfalse
              		unknown
              http://wixtoolset.org/schemas/thmutil/2010dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619746413.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, thm.xml.5.dr, thm.xml.11.drfalse
                		unknown
                https://aka.ms/dotnet/infoEtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.drfalse
                  		unknown
                  https://github.com/lemire/fastrange)ThirdPartyNotices.txt.7.drfalse
                    		unknown
                    http://www.novell.com)ThirdPartyNotices.txt.7.drfalse
                      		unknown
                      https://llvm.org/LICENSE.txtThirdPartyNotices.txt.7.drfalse
                        		unknown
                        https://aka.ms/dotnet-core-applaunch?Architecture:EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmpfalse
                          		unknown
                          https://aka.ms/20-p2-rel-notesdotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675574720.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674946812.0000000001377000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674487308.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.0000000001378000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675697765.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.drfalse
                            		unknown
                            https://github.com/aappleby/smhasher/blob/master/src/MurmurHash3.cppThirdPartyNotices.txt.7.drfalse
                              		unknown
                              https://aka.ms/dotnet/app-launch-failedEtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.drfalse
                                		unknown
                                https://aka.ms/dotnet/app-launch-failedToEtEskrivare.exefalse
                                  		unknown
                                  https://aka.ms/20-p2-rel-notes&quot;&gt;Releasedotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.drfalse
                                    		unknown
                                    https://github.com/mono/linker/issues/1895vSystem.ComponentModel.TypeConverter.dll.7.drfalse
                                      		unknown
                                      http://7-zip.org/sdk.htmlThirdPartyNotices.txt.7.drfalse
                                        		unknown
                                        http://www.ryanjuckett.com/ThirdPartyNotices.txt.7.drfalse
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidSystem.Security.Principal.Windows.dll.7.drfalse
                                            		unknown
                                            https://github.com/SixLabors/ImageSharp/blob/f4f689ce67ecbcc35cebddba5aacb603e6d1068a/LICENSEThirdPartyNotices.txt.7.drfalse
                                              		unknown
                                              http://appsyndication.org/2006/appsynapplicationc:dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000000.1461134092.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000000.1462308540.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1471849358.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000000.1468484307.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1616930829.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000002.1571261458.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000000.1566788944.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000000.1569512535.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000002.1677887533.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675238127.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000000.1570510009.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000000.1661713635.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000002.1673797690.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe.5.drfalse
                                                		unknown
                                                https://github.com/JamesNK/Newtonsoft.Json/blob/master/LICENSE.mdThirdPartyNotices.txt.7.drfalse
                                                  		unknown
                                                  https://aka.ms/nativeaot-compatibilityEtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmpfalse
                                                    		unknown
                                                    https://nuget.org/nuget.exepowershell.exe, 00000011.00000002.1796348903.00000133C6E7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.ookii.org/software/dialogs/ThirdPartyNotices.txt.7.drfalse
                                                      		unknown
                                                      https://aka.ms/dotnet/sdk-not-foundEtEskrivare.exefalse
                                                        		unknown
                                                        https://github.com/Microsoft/MSBuildLocatorThirdPartyNotices.txt.7.drfalse
                                                          		unknown
                                                          https://github.com/dotnet/aspnetcore/blob/main/LICENSE.txtThirdPartyNotices.txt.7.drfalse
                                                            		unknown
                                                            https://github.com/mono/linker/pull/649EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmpfalse
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000011.00000002.1775869136.00000133B6E11000.00000004.00000800.00020000.00000000.sdmp, System.Security.Principal.Windows.dll.7.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://aka.ms/dotnet-tutorialsXdotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675574720.0000000001370000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://github.com/microsoft/msquic/blob/main/LICENSEThirdPartyNotices.txt.7.drfalse
                                                                  		unknown
                                                                  https://aka.ms/dotnet-tutorials&quot;&gt;Tutorials&lt;/A&gt;dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.drfalse
                                                                    		unknown
                                                                    https://github.com/madler/zlibThirdPartyNotices.txt.7.drfalse
                                                                      		unknown
                                                                      https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.opensource.org/licenses/bsd-license.html.ThirdPartyNotices.txt.7.drfalse
                                                                        		unknown
                                                                        https://github.com/ucb-bar/berkeley-softfloat-3ThirdPartyNotices.txt.7.drfalse
                                                                          		unknown
                                                                          https://www.unicode.org/license.htmlThirdPartyNotices.txt.7.drfalse
                                                                            		unknown
                                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmpfalse
                                                                                		unknown
                                                                                https://dot.net/corej7dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://contoso.com/Iconpowershell.exe, 00000011.00000002.1796348903.00000133C6E7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://aka.ms/dotnet-illink/comEtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5C95000.00000020.00000001.01000000.00000014.sdmp, EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmpfalse
                                                                                    		unknown
                                                                                    https://github.com/dotnet/runtimemnetstandard.dll.7.drfalse
                                                                                      		unknown
                                                                                      https://github.com/NuGet/NuGet.Client/blob/dev/LICENSE.txtThirdPartyNotices.txt.7.drfalse
                                                                                        		unknown
                                                                                        https://github.com/intel/isa-l/blob/33a2d9484595c2d6516c920ce39a694c144ddf69/crc/crc32_ieee_by4.asmThirdPartyNotices.txt.7.drfalse
                                                                                          		unknown
                                                                                          https://github.com/nigeltao/parse-number-fxx-test-data)ThirdPartyNotices.txt.7.drfalse
                                                                                            		unknown
                                                                                            https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://github.com/microsoft/DirectXMath/blob/master/LICENSEThirdPartyNotices.txt.7.drfalse
                                                                                                		unknown
                                                                                                https://aka.ms/dotnet/downloadUsage:EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.drfalse
                                                                                                  		unknown
                                                                                                  https://github.com/Microsoft/RoslynClrHeapAllocationAnalyzerThirdPartyNotices.txt.7.drfalse
                                                                                                    		unknown
                                                                                                    http://wixtoolset.org/schemas/thmutil/2010(dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619746413.0000000002AF0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://arxiv.org/pdf/2102.06959.pdfThirdPartyNotices.txt.7.drfalse
                                                                                                        		unknown
                                                                                                        https://github.com/lemire/fastmod)ThirdPartyNotices.txt.7.drfalse
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://aka.ms/dotnet-docs&quot;&gt;Documentation&lt;/A&gt;dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.drfalse
                                                                                                            		unknown
                                                                                                            https://wixtoolset.org/475f70.msi.7.drfalse
                                                                                                              		unknown
                                                                                                              http://sourceforge.net/projects/slicing-by-8/ThirdPartyNotices.txt.7.drfalse
                                                                                                                		unknown
                                                                                                                https://aka.ms/dotnet-tutorialsdotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618160355.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618036147.000000000051E000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674946812.0000000001377000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.0000000001378000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.drfalse
                                                                                                                  		unknown
                                                                                                                  https://github.com/dotnet/runtime/issues/50821System.ComponentModel.TypeConverter.dll.7.drfalse
                                                                                                                    		unknown
                                                                                                                    https://aka.ms/dotnet-cli-telemetrydotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619746413.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618136605.0000000000513000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674946812.0000000001377000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.0000000001378000.00000004.00000020.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.drfalse
                                                                                                                      		unknown
                                                                                                                      https://www.unicode.org/copyright.html.ThirdPartyNotices.txt.7.drfalse
                                                                                                                        		unknown
                                                                                                                        https://aka.ms/dotnet/downloadEtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.drfalse
                                                                                                                          		unknown
                                                                                                                          https://aka.ms/dotnet/app-launch-failedDownloadEtEskrivare.exefalse
                                                                                                                            		unknown
                                                                                                                            http://appsyndication.org/2006/appsyndotnet-runtime-8.0.8-win-x64.exefalse
                                                                                                                              		unknown
                                                                                                                              https://github.com/dotnet/runtime;mscorlib.dll.7.dr, System.Configuration.dll.7.drfalse
                                                                                                                                		unknown
                                                                                                                                https://github.com/dotnet/runtime7System.Reflection.Extensions.dll.7.drfalse
                                                                                                                                  		unknown
                                                                                                                                  https://github.com/dotnet/templating/blob/main/build/nuget.exeThirdPartyNotices.txt.7.drfalse
                                                                                                                                    		unknown
                                                                                                                                    https://aka.ms/dotnet/app-launch-failedWouldEtEskrivare.exefalse
                                                                                                                                      		unknown
                                                                                                                                      https://aka.ms/dotnet-cli-telemetryy?dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        https://github.com/dotnet/runtime?System.Dynamic.Runtime.dll.7.drfalse
                                                                                                                                          		unknown
                                                                                                                                          https://opensource.org/licenses/MITThirdPartyNotices.txt.7.drfalse
                                                                                                                                            		unknown
                                                                                                                                            https://contoso.com/Licensepowershell.exe, 00000011.00000002.1796348903.00000133C6E7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://aka.ms/dev-privacydotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618160355.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675697765.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674946812.0000000001377000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674605915.00000000013AB000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.0000000001378000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.drfalse
                                                                                                                                              		unknown
                                                                                                                                              https://aka.ms/dotnet-license-windowsdotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.drfalse
                                                                                                                                                		unknown
                                                                                                                                                http://llvm.orgThirdPartyNotices.txt.7.drfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://dot.net/coreLdotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://creativecommons.org/publicdomain/zero/1.0/ThirdPartyNotices.txt.7.drfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.mono-project.com/docs/about-mono/ThirdPartyNotices.txt.7.drfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://www.xamarin.com)ThirdPartyNotices.txt.7.drfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://aka.ms/dotnet/sdk-not-foundFailedEtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.drfalse
                                                                                                                                                            		unknown
                                                                                                                                                            https://dot.net/corePdotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621736559.00000000006CF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000003.1621212291.00000000006CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://aka.ms/dotnet-core-applaunch?EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                https://github.com/dotnet/runtime0System.Resources.Reader.dll.7.drfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://github.com/dotnet/runtimeEtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816850376.00007FF8F8BB1000.00000020.00000001.01000000.00000017.sdmp, EtEskrivare.exe, 0000000F.00000002.1815219735.00007FF8E8551000.00000020.00000001.01000000.0000001B.sdmp, EtEskrivare.exe, 0000000F.00000002.1815869712.00007FF8F82D1000.00000020.00000001.01000000.00000018.sdmp, EtEskrivare.exe, 0000000F.00000002.1809939574.000001E9160F2000.00000002.00000001.01000000.00000022.sdmp, EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5C95000.00000020.00000001.01000000.00000014.sdmp, EtEskrivare.exe, 0000000F.00000002.1810003310.000001E916102000.00000002.00000001.01000000.00000023.sdmp, EtEskrivare.exe, 0000000F.00000002.1809798300.000001E915FD2000.00000002.00000001.01000000.00000021.sdmp, EtEskrivare.exe, 0000000F.00000002.1816088461.00007FF8F8371000.00000020.00000001.01000000.00000016.sdmp, EtEskrivare.exe, 0000000F.00000002.1815663224.00007FF8F0D01000.00000020.00000001.01000000.0000001A.sdmp, EtEskrivare.exe, 0000000F.00000002.1815410566.00007FF8E8571000.00000020.00000001.01000000.00000019.sdmp, System.Diagnostics.Tools.dll.7.dr, System.Text.Encodings.Web.dll.7.dr, System.Xml.XmlSerializer.dll.7.dr, System.ComponentModel.TypeConverter.dll.7.dr, System.Drawing.Primitives.dll.7.dr, System.ComponentModel.dll.7.dr, System.IO.Compression.FileSystem.dll.7.dr, System.Threading.Timer.dll.7.dr, System.Runtime.Serialization.Json.dll.7.dr, System.Net.NetworkInformation.dll.7.drfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://github.com/dotnet/runtimed5System.Reflection.dll.7.drfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://aka.ms/dotnet-docsdotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.drfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://dot.net/corevdotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1469104382.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616367866.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617063137.0000000000E3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://aka.ms/dotnet-core-applaunch?framework=&framework_version=missing_runtime=true&arch=&rid=&osEtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.drfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://aka.ms/dotnet-warnings/System.Security.Cryptography.dll.7.drfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://github.com/BurntSushi/aho-corasickThirdPartyNotices.txt.7.drfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://aka.ms/dotnet-license-windowsldotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://github.com/dotnet/runtime/issues/71847EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    https://github.com/dotnet/runtime_System.Globalization.Calendars.dll.7.drfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://aka.ms/serializationformat-binary-obsoleteSystem.Data.Common.dll.7.drfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://contoso.com/powershell.exe, 00000011.00000002.1796348903.00000133C6E7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://aka.ms/binaryformatterEtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5C95000.00000020.00000001.01000000.00000014.sdmp, EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp, System.ComponentModel.TypeConverter.dll.7.drfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          https://aka.ms/dotnet-license-windodotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.000000000138F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://github.com/dotnet/runtimeI_#System.Diagnostics.Debug.dll.7.drfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              https://aka.ms/dotnet-cli-telemetry&quot;&gt;.NETdotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.drfalse
                                                                                                                                                                                                		unknown

                                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                                No contacted IP infos

                                                                                                                                                                                                General Information

                                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                Analysis ID:1524996
                                                                                                                                                                                                Start date and time:2024-10-03 15:24:47 +02:00
                                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                                Overall analysis duration:0h 11m 25s
                                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                                Report type:full
                                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                Run name:Potential for more IOCs and behavior
                                                                                                                                                                                                Number of analysed new started processes analysed:24
                                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                                Number of injected processes analysed:1
                                                                                                                                                                                                Technologies:
                                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                                Sample name:EtEskr.exe
                                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                                Classification:mal80.troj.evad.winEXE@29/318@0/0
                                                                                                                                                                                                EGA Information:
                                                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                                                HCA Information:
                                                                                                                                                                                                • Successful, ratio: 71%
                                                                                                                                                                                                • Number of executed functions: 136
                                                                                                                                                                                                • Number of non-executed functions: 281
                                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                                • Found application associated with file extension: .exe

                                                                                                                                                                                                Warnings

                                                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                • VT rate limit hit for: EtEskr.exe

                                                                                                                                                                                                Simulations

                                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                                09:26:08API Interceptor40x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                14:25:52AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802} "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" /burn.runonce

                                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                                IPs

                                                                                                                                                                                                No context

                                                                                                                                                                                                Domains

                                                                                                                                                                                                No context

                                                                                                                                                                                                ASNs

                                                                                                                                                                                                No context

                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                No context

                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                No context

                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                C:\Config.Msi\475f6e.rbs

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):48941
                                                                                                                                                                                                Entropy (8bit):5.870601573697765
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:+HchvR3/NU6Sr4VxD+TiuQV40naoOvZRD03fg3EjjejATI3dHAEI69G43A9lyXdb:ichvR3/NU6Sr4VxD+TiuQV40naoOvZRV
                                                                                                                                                                                                MD5:00A58BE4605050D2AB2CC569C0482958
                                                                                                                                                                                                SHA1:F293995F74FDA331A5D07A1FB52747AE4E32F6C1
                                                                                                                                                                                                SHA-256:0AE27181E4B34F9F181B7BE6A3CC6D93B01C7909BE0855895AD1C78FDA56D5E4
                                                                                                                                                                                                SHA-512:14DC1A1450A25C95193E80E6C003C4DD8F6CDEE7D5C09C9402AD587F801A779C14D168062D9EA2D9478654E4DB9E786F582E0B624DB6106D9A36C8DF6F97F282
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:...@IXOS.@.....@<KCY.@.....@.....@.....@.....@.....@......&.{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA}$.Microsoft .NET Runtime - 8.0.8 (x64) .dotnet-runtime-8.0.8-win-x64.msi.@.....@.G @.@.....@........&.{6AF517CA-B141-429F-9C4F-3B284175B717}.....@.....@.....@.....@.......@.....@.....@.......@....$.Microsoft .NET Runtime - 8.0.8 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3C4C024C-2130-52A6-970B-70C150A9C6A1}&.{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA}.@......&.{6CB89BA5-BA15-534E-A68E-2264932E5941}&.{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA}.@......&.{9ADA46AD-09F9-5ECD-900E-DBDF4918CCBC}&.{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA}.@......&.{065DBC19-6591-5CC8-9436-232F964F0892}&.{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA}.@......&.{016CCB70-9738-5A29-8B80-1D9589FDE7B9}&.{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA}.@......&.{A861D4BA-32B7-582F-B329-747A998A9853}&.{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA}

                                                                                                                                                                                                C:\Config.Msi\475f72.rbs

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):9044
                                                                                                                                                                                                Entropy (8bit):5.594159455021252
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:WviuRlQeGkVkScDkYI1DkYJkVkbk08k5ERk87k3RkWakdkkk6kDkQSpCk1k7kIkP:siAlGkVkZDkBDkikVkbkjkAkmkBkWakb
                                                                                                                                                                                                MD5:FE09EDF63D89F8044FE1CAF28E4AE64D
                                                                                                                                                                                                SHA1:0249CE160D817CD366394887CD65B326A90E6968
                                                                                                                                                                                                SHA-256:3A65BB5F1EFD254613F31F6E4D0C8906B72C84B3EC62F16BE384D2515FC33909
                                                                                                                                                                                                SHA-512:C8C9BAE606968BC2A2FCF2DDCA6F918F8CC8CAE501CABA24658E2FBA794622D87FDE1F85CBC07D2FDB6E1262300E3BA676494E29C8B55167298F034CBB09B088
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:...@IXOS.@.....@BKCY.@.....@.....@.....@.....@.....@......&.{7FE24458-0796-4428-99C2-9A0F8DAB93CC}-.Microsoft .NET Host FX Resolver - 8.0.8 (x64) .dotnet-hostfxr-8.0.8-win-x64.msi.@.....@.G @.@.....@........&.{BB639B51-1725-47F5-9229-90393A63E483}.....@.....@.....@.....@.......@.....@.....@.......@....-.Microsoft .NET Host FX Resolver - 8.0.8 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{A7B38373-46D8-574E-BFAC-69B10BFA5D28}&.{7FE24458-0796-4428-99C2-9A0F8DAB93CC}.@......&.{1DC8D66C-83D7-58FD-A401-939C300FD86E}&.{7FE24458-0796-4428-99C2-9A0F8DAB93CC}.@......&.{8EC524B8-7864-5ACE-B320-2D36216EBC12}&.{7FE24458-0796-4428-99C2-9A0F8DAB93CC}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..'.C:\Program Files\dotnet\host\fxr\8.0.8\....2.C:\Program Files\dotnet\host\fxr\8.0.8\hostfxr.dll....WriteRegistryValues..Writing system registry values..Key: [1],

                                                                                                                                                                                                C:\Config.Msi\475f76.rbs

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):10258
                                                                                                                                                                                                Entropy (8bit):5.641230868819559
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:jhAC7K7ORd7h78lwxu0sePcDcxYIoDcxY4lESgroSpB:jhAC7K7ORd7h76ku1DcxcDcx4Z
                                                                                                                                                                                                MD5:6A5519900604FA3B35058EBD4F5F1960
                                                                                                                                                                                                SHA1:A4A01A14F4B559385FEA3BC3838370243166F40D
                                                                                                                                                                                                SHA-256:0BDD875BC3CA1AB030996E8B82FC9868E2046E18443AE711523A94E7184EB25C
                                                                                                                                                                                                SHA-512:CD7BC61CF8DCD31E2556FF7D49D86EBC78951B69EEEA00DABA62932EAA539370F5599C85B98437395AEB1901CF02656B091AC6804C577D3E029024E7547FC639
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:...@IXOS.@.....@CKCY.@.....@.....@.....@.....@.....@......&.{3BA242F8-BDB5-4096-9FBC-333CD663BBAD}!.Microsoft .NET Host - 8.0.8 (x64)..dotnet-host-8.0.8-win-x64.msi.@.....@.G @.@.....@........&.{364B6B15-82BE-426F-A13C-DD7A2B6B2EA4}.....@.....@.....@.....@.......@.....@.....@.......@....!.Microsoft .NET Host - 8.0.8 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{7ECCA0D4-8C88-50DD-A538-CDC29B9350D1}&.{3BA242F8-BDB5-4096-9FBC-333CD663BBAD}.@......&.{45399BBB-DDA5-4386-A2E9-618FB3C54A18}&.{3BA242F8-BDB5-4096-9FBC-333CD663BBAD}.@......&.{EA9C3F98-F9B1-5212-8980-CFEAF2B15E0D}&.{3BA242F8-BDB5-4096-9FBC-333CD663BBAD}.@......&.{E4E008C8-57A8-5040-BB34-03024B15B6C5}&.{3BA242F8-BDB5-4096-9FBC-333CD663BBAD}.@......&.{CE35924C-AD31-51DF-B84A-A8052ED08400}&.{3BA242F8-BDB5-4096-9FBC-333CD663BBAD}.@......&.{A61CBE5B-1282-4F29-90AD-63597AA2372E}&.{3BA242F8-BDB5-4096-9FBC-333CD663BBAD}.@.......

                                                                                                                                                                                                C:\Program Files\dotnet\LICENSE.txt

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Unicode text, UTF-8 text, with very long lines (514), with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):9519
                                                                                                                                                                                                Entropy (8bit):4.902271147017698
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:ydP0KvBLCqikR/EgGJLrlwD+eilNi5Py1SDeoDXDw9lF5OMz6Q:PWBuqikR/EDJLriwlNi5KI1Tw9lF5OjQ
                                                                                                                                                                                                MD5:31C5A77B3C57C8C2E82B9541B00BCD5A
                                                                                                                                                                                                SHA1:153D4BC14E3A2C1485006F1752E797CA8684D06D
                                                                                                                                                                                                SHA-256:7F6839A61CE892B79C6549E2DC5A81FDBD240A0B260F8881216B45B7FDA8B45D
                                                                                                                                                                                                SHA-512:AD33E3C0C3B060AD44C5B1B712C991B2D7042F6A60DC691C014D977C922A7E3A783BA9BADE1A34DE853C271FDE1FB75BC2C47869ACD863A40BE3A6C6D754C0A6
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MICROSOFT SOFTWARE LICENSE TERMS..MICROSOFT .NET LIBRARY ..These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft.. * updates,.. * supplements,.. * Internet-based services, and.. * support services..for this software, unless other terms accompany those items. If so, those terms apply...BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE...IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE PERPETUAL RIGHTS BELOW...1. INSTALLATION AND USE RIGHTS. .. a. Installation and Use. You may install and use any number of copies of the software to design, develop and test your programs... b. Third Party Programs. The software may include third party programs that Microsoft, not the third party, licenses to you under this

                                                                                                                                                                                                C:\Program Files\dotnet\ThirdPartyNotices.txt

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Unicode text, UTF-8 text, with very long lines (755), with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):96177
                                                                                                                                                                                                Entropy (8bit):5.252050138452329
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:HA9jHwLvGfgg39/zwgAVkguQhrDjugtSEGepkWvrpX7anuqdLSVnfiStPq+3LefF:HA97wyogz1AVxuMjHtSFULryLOgrGWwc
                                                                                                                                                                                                MD5:90630D9EE3E0A5672166A45E00F79A5F
                                                                                                                                                                                                SHA1:D1148F8C7558E9B8A81BF1F50F9E3BED89D9928C
                                                                                                                                                                                                SHA-256:1271701F435F7FE4AA81DC7E273CA80B6391B73580EE20B35A956052C95DE4CF
                                                                                                                                                                                                SHA-512:29E10BD57D1C580ECE70B9B7C4A69DC036A5A64012EB89BA360A71BE6B808150610EA0737351277A3D4235C02323FABEF29F092FA6B2A40F0289F55A7973E93D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.NET Runtime uses third-party libraries or other resources that may be..distributed under licenses different than the .NET Runtime software.....In the event that we accidentally failed to list a required notice, please..bring it to our attention. Post an issue or email us:.... dotnet@microsoft.com....The attached notices are provided for information only.....License notice for ASP.NET..-------------------------------....Copyright (c) .NET Foundation. All rights reserved...Licensed under the Apache License, Version 2.0.....Available at..https://github.com/dotnet/aspnetcore/blob/main/LICENSE.txt....License notice for Slicing-by-8..-------------------------------....http://sourceforge.net/projects/slicing-by-8/....Copyright (c) 2004-2006 Intel Corporation - All Rights Reserved......This software program is licensed subject to the BSD License, available at..http://www.opensource.org/licenses/bsd-license.html.....License notice for Unicode data..-------------------------------...

                                                                                                                                                                                                C:\Program Files\dotnet\dotnet.exe

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):146608
                                                                                                                                                                                                Entropy (8bit):5.796701076835328
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:vMsPh98tszk08NHGNZewbrfLLKISexOQIE3SWezF:UsPhrXonwPjIexO1E3S15
                                                                                                                                                                                                MD5:C584D35A4987B6C62E91B28EF82366BD
                                                                                                                                                                                                SHA1:81D84B06AB7DB3ECE6B64C729A3C6973C2D897BD
                                                                                                                                                                                                SHA-256:16A4E05159D7ABA10AB658D27F36459A4B33135F52456EAAB4495884611B1F9E
                                                                                                                                                                                                SHA-512:FE62C0C5EC9548E9688DA581A3BE130E9ABEB873415D378CD0D1922E72153D3BA6AD388B6BFAD8EBE02B83A612E4D58C12DDA960164BAA42A7F4BBF9F79411EF
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,...h.j.h.j.h.j...i.o.j...n.d.j...o.P.j.a...x.j.#.k.m.j.h.k...j.x.c.`.j.x...i.j.h...j.j.x.h.i.j.Richh.j.........PE..d......f.........."....(.....B.................@.............................P.......+....`.................................................$I...............p...........(...@..L... )..T....................+..(....'..@............................................text...K........................... ..`.rdata..Nd.......f..................@..@.data........`.......B..............@....pdata.......p.......F..............@..@.rsrc................R..............@..@.reloc..L....@......................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\host\fxr\8.0.8\hostfxr.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):350472
                                                                                                                                                                                                Entropy (8bit):6.298019612811869
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:s3oCq7D6qYvWzxP5tsWaag28fxfIUmtd3+:9+1Wzbtsftvmdu
                                                                                                                                                                                                MD5:D078EA59CAE2F77F8794A632DD0809BC
                                                                                                                                                                                                SHA1:843A780E62B4F2C85E17DE2E87B2C3CF233D9571
                                                                                                                                                                                                SHA-256:F451A4839BD27A10FD03E751C843F2389E71E76A2F7BF418A650A53844D21D1F
                                                                                                                                                                                                SHA-512:A9B9B223286170CADCFCA8F2E125791B817301B6464F0EC839990696D743986634563E2CE8080D540CDACC0FD725C0FA17C40CF6668A8A59FFC2DF17FBEDC7B9
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%...D.L.D.L.D.LA..M.D.LA..M.D.LA..M.D.L.<uL.D.L.<.M.D.L.D.L=D.L...M.D.L...M.D.L...L.D.L...M.D.LRich.D.L........................PE..d...z..f.........." ...(.............8.......................................p......F.....`A................................................L........P....... ...+...0...)...`.......z..p....................}..(....y..@...............`............................text............................... ..`.rdata...L.......N..................@..@.data...H...........................@....pdata...+... ...,..................@..@.rsrc........P.......$..............@..@.reloc.......`.......*..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\.version

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):49
                                                                                                                                                                                                Entropy (8bit):3.853879743350026
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:LP5z1dUcVEFDkUXCdAv:LP5zEcuFDkUySv
                                                                                                                                                                                                MD5:0A25AD88799B745D05184086617C43BA
                                                                                                                                                                                                SHA1:5058FA3B2D09DC9363E387AE3F79FC3B59136908
                                                                                                                                                                                                SHA-256:B91859B1B07A5E9EC1BAA2B351F968A80DA942A6531CAF7913A7E38D4744B99A
                                                                                                                                                                                                SHA-512:A7846586DB5877CA14C874372831EE117DA564DBDF788FD9CD5CFFACC8EDF4624F2C9C4ED655B892FAB0839C5F161D037390FD64625F3A8E4477E9BBF0B06E2A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:08338fcaa5c9b9a8190abb99222fed12aaba956c..8.0.8..

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.CSharp.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1005832
                                                                                                                                                                                                Entropy (8bit):6.717630206703801
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:24576:Wuz94uYWl+9whtbSp1HVu9yH+sChDUD3IX+:v54uZ++tbQHVu9yHugrH
                                                                                                                                                                                                MD5:AC45B05C090E28DDE2BDD3E6D460330F
                                                                                                                                                                                                SHA1:54A64B5C41A365E4F03974E620D9227582E0B6B1
                                                                                                                                                                                                SHA-256:FBA4224E5DEABCCD781BD7E0371C16A9765F7BE0EA165F8BB499F5D62F4531BF
                                                                                                                                                                                                SHA-512:6DCDB591E85C9F2C241ED2BCFAFA214B7F1B75E6D681BB40F76CC3B121FCE41CE9455FA3C44D455A4E4F2FF4BA4F159F0DE51C0EA74FFC73837B342794AB7389
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...o............" ..... ...................................................0............`...@......@............... ..................................`....*..TQ...0...)...........;..p...........................................................`...H............text............ .................. ..`.data........0.......0..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.DiaSymReader.Native.amd64.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):2309152
                                                                                                                                                                                                Entropy (8bit):6.414576855139372
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:49152:jH+fGgFyzuNiG6H0n8D1gkrz/OAyFAopdrq/c/:+GgFQq8DT/ZyFDN0c
                                                                                                                                                                                                MD5:A71CD05C01F0FC603C0BD782516F806D
                                                                                                                                                                                                SHA1:C15E261D5E7318875D324D28AB70A883CD434C81
                                                                                                                                                                                                SHA-256:7F8DCF37D9D66EAE14C48A79FA2FCD447BD0F38A21BE0203A9C4A89398AACF28
                                                                                                                                                                                                SHA-512:CE53F6DC1F02889ED6FB1F8DF226F9BADBB039F79505CDBD599A00A32B6617DA5E19F2AD7F76BB8134B3CCAD39FAB2209ED8EC6AE42CD30402C4E450FC19FA88
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Wq0...^...^...^.Xh]...^.Xh[..^.XhZ...^..]...^..Z.'.^.Xh_...^..._...^..[.m.^..W...^..^...^......^.......^..\...^.Rich..^.........................PE..d....ZY..........." ...(.....\...... 0........................................#......)$...`A.........................................Z!.p....[!.P....P#.......!..W....#. (...`#..>.....p.......................(....U..@...................0Y!.`....................text............................... ..`.rdata...Y.......Z..................@..@.data....a...p!......^!.............@....pdata...W....!..X...t!.............@..@.didat..p....@#.......".............@....rsrc........P#.......".............@..@.reloc...>...`#..@....".............@..B................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.NETCore.App.deps.json

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):28516
                                                                                                                                                                                                Entropy (8bit):4.274394991306572
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:Q7M+c0HmWYmoyRcrVjap4YlsWQAEZOqfmy:Q7M+c0HmWYmoyRcrVjap4YlsWlCOqfmy
                                                                                                                                                                                                MD5:81D0C7A4EEF71B68170D5C9192DD080D
                                                                                                                                                                                                SHA1:CAD9695C6C2179A2724DB8C70A13F282D95F804C
                                                                                                                                                                                                SHA-256:AAF78719AE0F00AEE43D2950BA621A362D2A94C2E6BD12823D13E3179DDC6380
                                                                                                                                                                                                SHA-512:AC7BA477EB50DA1DD38EC06E503B74387E13BC0B87CCD818761B3700594BDBAFFEE422B0ABE9C84252EAF8B0FE8D0969C85770E3DDE7585D1BA88CF0F2A7FA55
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v8.0/win-x64",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v8.0": {},.. ".NETCoreApp,Version=v8.0/win-x64": {.. "Microsoft.NETCore.App.Runtime.win-x64/8.0.8": {.. "runtime": {.. "System.Private.CoreLib.dll": {.. "assemblyVersion": "8.0.0.0",.. "fileVersion": "8.0.824.36612".. },.. "Microsoft.VisualBasic.dll": {.. "assemblyVersion": "10.0.0.0",.. "fileVersion": "8.0.824.36612".. },.. "Microsoft.Win32.Primitives.dll": {.. "assemblyVersion": "8.0.0.0",.. "fileVersion": "8.0.824.36612".. },.. "mscorlib.dll": {.. "assemblyVersion": "4.0.0.0",.. "fileVersion": "8.0.824.36612".. },.. "netstandard.dll": {.. "assemblyVersion": "2.1.0.0",.. "fileVersion": "8.0.824.36612".. }

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.NETCore.App.runtimeconfig.json

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):53
                                                                                                                                                                                                Entropy (8bit):4.039544162952557
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:3Hpn/hdNxDI/pAtSFFy:3Hp/hdNyhAM/y
                                                                                                                                                                                                MD5:0828CC814843C0960554265CDA859EF5
                                                                                                                                                                                                SHA1:0140385A9E76436A7F3FED45136462F3393B5CBA
                                                                                                                                                                                                SHA-256:AC377253F9F7CF9D6127D684369DE36DA123D992CDC2E17950E3C8BF9688DF76
                                                                                                                                                                                                SHA-512:22CBB29225F35CEA4329A08BE760420CAB6AB7EA85628436B7518759E09ACEE8F382D79C800E5C8F6BA647CA98B32A35A3A52CC1CB5B9CBD2E3B20FA314D839A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:{.. "runtimeOptions": {.. "tfm": "net8.0".. }..}

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.Core.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1247520
                                                                                                                                                                                                Entropy (8bit):6.749192841590639
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:24576:NsvtzOPj/l89Sk2f+/eOUCxRepC36Rk3i+XFqUn:NsvtzOP7ymf+/TZd3ie
                                                                                                                                                                                                MD5:5A0F40B6899F9BD7E43A5425DA58DE25
                                                                                                                                                                                                SHA1:BDFF3CBF31FA86709309D92667C285F9F2C6D40B
                                                                                                                                                                                                SHA-256:EEA806D40BE4C2FB909072DF32DE259EC476E9A7CC749C37447994FFC340F1AD
                                                                                                                                                                                                SHA-512:F99971B7C6B3F3A02F99FD40DA655326D6BCF1060FFB2E5E49A6BDA6E09C05557B15F0951C1560E1ACDB4B2CDF0B63ECEF45E6745C1D562AE286AA3D53529850
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q............" .................................................................^....`...@......@............... ..........................................d_...... )...........>..p...............................................................H............text............................... ..`.data...............................@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):17584
                                                                                                                                                                                                Entropy (8bit):6.596677368900014
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:qku3ctExWmHT9QdWv7X6HRN73tHNsAR9zF0v:7uMtybTWdts89zmv
                                                                                                                                                                                                MD5:E3545A8E422248EA1CBC169B2E2EC163
                                                                                                                                                                                                SHA1:D55B3D8D01915B7411146DA933FCADA01CA75CA1
                                                                                                                                                                                                SHA-256:ECA8F5D0A6063D158CEFD6C125C0053171E53CDED0D8133197F77CB1FA289E20
                                                                                                                                                                                                SHA-512:13D4E658B2346640A5E7AEABAB66B8E432877360F928131C35AB201BDA4085A11C173FAEC46F4A66481BAE1BFA9B1F4650DF69BD3D0C2925EB680D8FDA72917D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q............" ..0.............B1... ...@....... ..............................X.....`..................................0..O....@...................(...`.......0..T............................................ ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................#1......H.......P ..4..................../......................................BSJB............v4.0.30319......l.......#~..,...t...#Strings............#US.........#GUID...........#Blob......................3................................K.....C.................................J.....~...........b...........G...........c.....................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15640
                                                                                                                                                                                                Entropy (8bit):6.836441141207769
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:kiGp+xfkPWhhpWvpWsWxNzx95jmHnhWgN7acWYH8AgfcMbnoQNpX01k9z3AZs88o:ki2EIWhhpWv4zX6HRN7v8/7R9z56
                                                                                                                                                                                                MD5:D3BAAD7A5DB953DE71AA459841CC37DB
                                                                                                                                                                                                SHA1:CB94AD1EA3706C7346CEB305ABB6B47436671636
                                                                                                                                                                                                SHA-256:A682B72F9D80BC517F197A0FF85CD2858EB743D8CB6E8453C946E413BD10C0E1
                                                                                                                                                                                                SHA-512:7680F910655B9BDC99DDA93D62F936FCF2C57931D7A324316D53571E2F069F691EAEEA2FE30AF1F08CC24E07D188692EB46D9A8CF6AB21CC7FB3FC391346DE2C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....q..........."!..0..............)... ........@.. ...............................C....`..................................)..Z....@...................)...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ........................................g~W..<.ah...>]~KNh.n*...=.t,.'....Z.h,.*&...B|....d.F..i.o.....>~.8........W...I.........qnk.6..P'../.K.!..<.t"..{BSJB............v4.0.30319......`.......#~..(.......#Strings............#GUID... .......#Blob......................3................................................"...........;.l.........f.....!.E.....E.....>.................E...[.E.....E.....E.....E...B.E...O.E...v.............

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Registry.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):120992
                                                                                                                                                                                                Entropy (8bit):6.141095686333107
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:HY1NwrxWkbGKzcNqJSvEVcULVii1i81SFUt:Dl6KYqJSvEVz7/iO
                                                                                                                                                                                                MD5:4FD4616455D07E7252B50B565A2E75C5
                                                                                                                                                                                                SHA1:CD6DB5A8DCA0D94AA5E48717E32F3EC3E1B17998
                                                                                                                                                                                                SHA-256:853DA3E1E5BA29DECFC91A39FA1B70955BDC63E18F034AE119635DF53704E9D9
                                                                                                                                                                                                SHA-512:1E37902F3B4AFCC08ACD7C8450E72DE11CA16D1D338B8E076BF4940BDE832866D410900ED6513B1D6BA67E7FCF579336998D7B2A2AC9483404B3FA2C6866EE2D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...M.)..........." .....p...0......................................................NX....`...@......@............... .......................................4...........(..........0...p...............................................................H............text...Kh.......p.................. ..`.data...a........ ..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.AppContext.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15520
                                                                                                                                                                                                Entropy (8bit):6.73836549241893
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:XkWrBaWi7WvaYA6VFHRN7JQDX+iR9zwYiQ:XkWd2KaFClJQDuO9zh
                                                                                                                                                                                                MD5:36B89A91AA27942AA5948EE349CAB75E
                                                                                                                                                                                                SHA1:89656249ED33686F86533A0ED8DC8CBEA81ECBAA
                                                                                                                                                                                                SHA-256:E0ED6218EB92190388E554288C0794CF3E85018F85EB753D1D6EE90167628D99
                                                                                                                                                                                                SHA-512:9A26A9B94231FADE42E9DC4F57A21D52ADD215D3D6A416A371BFFAF91085EE0866E4341D1C7D10707CC617E08297D7E1F69A32CDC062A02421355B3E08D79425
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.K..........." ..0..............(... ...@....... ..............................Kb....`..................................(..O....@..d................(...`.......'..T............................................ ............... ..H............text........ ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................(......H.......P ......................('......................................BSJB............v4.0.30319......l.......#~......<...#Strings....H.......#US.L.......#GUID...\...|...#Blob......................3......................................................x.....3...........^.................I....._.................w.................G...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Buffers.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15536
                                                                                                                                                                                                Entropy (8bit):6.73756934231282
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:38lEdg8Wj2WvQlWxNzx95jmHnhWgN7awWHBm+0U8X01k9z3AH5Q:3C0Wj2WvQGX6HRN76Bmo8R9zYG
                                                                                                                                                                                                MD5:B2F03EA9F7B56D26733B2A1C9224A397
                                                                                                                                                                                                SHA1:6C49E77764E38C99E092B4D74B8D22954723289A
                                                                                                                                                                                                SHA-256:236910220ECDC4F1E7B0A6EFFBED8A9177AEE6BCB090F16807E83368F17563DB
                                                                                                                                                                                                SHA-512:A1F2B9BAF03DF6D68DE01DF6D33970819668A46138CE38925426437E63A8A4A075DC0D4B6890A1C06DD40A95D6FC8657C8D6F791F356F68DD729A7B7CF7BB5DB
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............(... ...@....... ....................................`..................................(..O....@..T................(...`.......'..T............................................ ............... ..H............text........ ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P ......................('......................................BSJB............v4.0.30319......l.......#~......@...#Strings....L.......#US.P.......#GUID...`...x...#Blob......................3............................................................?.....!.....j.....%...........U.....k.....:.......................!.....S...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Concurrent.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):276744
                                                                                                                                                                                                Entropy (8bit):6.735103537020919
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:zH8+KHhcm1xa3ZvGFehyhyO28ibc8wXD6GK:zPChcm1xachD2PbVE+GK
                                                                                                                                                                                                MD5:34E8718BED9FFCB954586F833672F548
                                                                                                                                                                                                SHA1:EE3D827879373D2AE7708D90C6916EFDE84B98BD
                                                                                                                                                                                                SHA-256:635D3192EBC262DCEAFB679C30D63A06375D686E9E9BAD9E43B1914B4ACE483E
                                                                                                                                                                                                SHA-512:A406540C34C699BDC6EA69635047EA206E295CB1E6C2EF80EC9C0374B74F2FE4C3754B309ADB2BD173D8F4D6261DB6BE6570B518A7FD7D2CBBC4304921A38923
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...d6(..........." .........P............................................................`...@......@............... .......................................n...........)..............p...............................................................H............text.............................. ..`.data...h=.......@..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Immutable.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):837896
                                                                                                                                                                                                Entropy (8bit):6.723078162409922
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:crJR+uRoPwK6eN8/98vTU4dQEE3k0T9YLVgHr4lucvMgllgg9n:w+uM8abw+CMlFDll/n
                                                                                                                                                                                                MD5:E8D86E48D55490F58ACC8DDDCEF458CC
                                                                                                                                                                                                SHA1:DCDB9C0D60B300467962E58602A82BBE6EC77AAC
                                                                                                                                                                                                SHA-256:FC48AA677A344F912C1A9160115DAFD396B4F69EEDD27F4B53B14C2B512E92D2
                                                                                                                                                                                                SHA-512:18F993F4C7899856AA0C6AD200863D2444FDFA4745ED4CB961AA38DB9F7E6DCB5576665CC1D487A9D1EA7C3B526A95710734AA65049410CBC2E58FD7C3DEFD15
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...f............." .....@...P...........................................................`...@......@............... ..........................................Hr.......)..........( ..p...............................................................H............text...P0.......@.................. ..`.data...L$...P...0...P..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.NonGeneric.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):104712
                                                                                                                                                                                                Entropy (8bit):5.9531643262406995
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:4QoktJ1UcLZmsYAZwmkXjhXVrMZREnZWzUdhiszMO:4jk9vZ7I1GZKZPHoO
                                                                                                                                                                                                MD5:7DFE9C0A526E8BE845FDF94C77A40215
                                                                                                                                                                                                SHA1:C3C84D477A91F553167C88D7DC77EC77723138B4
                                                                                                                                                                                                SHA-256:4F96E191302A84C970545AADB2FC53FA9B5455B1DE54187A5373E0E3B5C90991
                                                                                                                                                                                                SHA-512:61971E48894E92832ED76967B06E0D8AB57B8748096159852BF2F6AD8C74F8B6DC759EC3FA868AE91F1F08D4F9ECB15CC3A8DF697452DD17972A96715B0C73A3
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....n............" .....0...0...............................................p............`...@......@............... ......................................@0.......p...)...`..........p...............................................................H............text...*+.......0.................. ..`.data........@... ...@..............@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Specialized.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):104608
                                                                                                                                                                                                Entropy (8bit):6.019621325219264
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:Nx/tht+6AWhqlJH5MC+W06201CTBUsqEiONocgw50ad01IODi0zmG:Nx/Q6AqiT+WFPaiONocgwaaOhDzl
                                                                                                                                                                                                MD5:7B967ABA7A1321AF17A04576DE32CC50
                                                                                                                                                                                                SHA1:DC2F05B710D21733BEFB5066FA99BFB3AE1B7C4F
                                                                                                                                                                                                SHA-256:C3D7055A0C71A9E8641C7883DBBDFFEBDBB27D2350DE43BA925D947662533DAF
                                                                                                                                                                                                SHA-512:4B8ABBE1101EA2CB7B257198E2DCB353CCA151C4BEBD4697A128FFD69D27E1DE64FE19FCBDC79636414B01B15B7848E2C16E6B9BDE24688D1794A7334AEAA9A4
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...!............." .....0...0...............................................p......}e....`...@......@............... ......................................p1.......p...(...`......8...p...............................................................H............text...!).......0.................. ..`.data........@... ...@..............@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):260272
                                                                                                                                                                                                Entropy (8bit):6.618737529882049
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:nXiJoXLKgtvcp1M5eRWAbQW0ryS1woXh3m3x:XYCKgtEzweMiD0rGqJmB
                                                                                                                                                                                                MD5:C755E2D819F1462687BA99F28D7FB638
                                                                                                                                                                                                SHA1:1758E9E47D46C3B1D4F71520D09F3FA80E40C9D6
                                                                                                                                                                                                SHA-256:7EE67CDC969F5BD5BA1A4E99A17ED8A67C2DD835537A982CB41A7EBE3AD025FE
                                                                                                                                                                                                SHA-512:060610E7C30AB2625C85315E0AC105E08888BD2B37A9ABCFA33566565C632E7397FC5DB5EDF03054FECA2B2F46CB73F54E2CDB258CCD470D1947A27BC7DE997D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...77............" .....p...P.......................................................e....`...@......@............... ..................................p....Z..8........(..............p...........................................................p...H............text....g.......p.................. ..`.data....>.......@..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Annotations.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):203024
                                                                                                                                                                                                Entropy (8bit):6.207298456243025
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:ADzcvTHdJdCe4dCLLe+Yfn3gwmMWQArD5/oE5bF65eUV/uuTG:AQT9WDvgwzWQArHUV/uui
                                                                                                                                                                                                MD5:2B2EBCE91DD24647BA64032AFF474EEA
                                                                                                                                                                                                SHA1:633B37C3F8ED3E2E036A6301E3A99AE2382F9BE6
                                                                                                                                                                                                SHA-256:CE51C0A016E0D830BB2325B917DE3B959E42DF82C47A681287C97F0C27846AF4
                                                                                                                                                                                                SHA-512:9718A8E686CA2F7E27DB887AB94E0C5578CDA23170C27E97BEA1D0F95A30F29A4D742BDBC791C1E2F91D9AD5D2BE383701DBBA3D0AD054DA06D30863CD5DA1F4
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........P............................................................`...@......@............... ......................................0I..p........)......L....!..p...............................................................H............text............................... ..`.data...M9.......@..................@....reloc..L...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.DataAnnotations.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):17072
                                                                                                                                                                                                Entropy (8bit):6.659738769823181
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:zpmblJeIeGXxV7wl+W+XWvIX6HRN7ckABmo8R9zYRHI2jW:zLSWIWcVmoQ9zsBW
                                                                                                                                                                                                MD5:1C22BAF0E27D88F5BCD119256DAE3CFD
                                                                                                                                                                                                SHA1:B6A788DC9E55A276998EFE47C21D9F655AD6842B
                                                                                                                                                                                                SHA-256:0816FEBC2BA00D8CC16C843A5D629ADC4648A36EB45082DE8F0A29ACD5AEAD45
                                                                                                                                                                                                SHA-512:A14BA425BBB69F11D6F264CDE110034B6DC8CAA13DDB85F9E6C223C0D5176D168D8DAFDAEF3BDE86803CCFEB99614D1F9DE2D981DBC8E19225748A7C1891FAA7
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>..........." ..0.................. ...@....... .............................."i....`.....................................O....@...................(...`.......-..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H.......P ...................... -......................................BSJB............v4.0.30319......l.......#~..l.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3................................+.....S...........................3.......9...O.............}.........}...........$.....A.....d.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):47368
                                                                                                                                                                                                Entropy (8bit):5.343676854529679
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:+W+wWvLfT+rudWBj/DbodqYfhKnVsL9WkS89KJKfCvDXxO88+aEZ4jIwVsBvzN42:eRLkYoYkaBv688IVO/X8FCltxf9z56g
                                                                                                                                                                                                MD5:CF4ADD9E2E8C056C75B770CA9E4B64B8
                                                                                                                                                                                                SHA1:B8EE4E78731D0D65E3EDEAF9C263BF703873AD7E
                                                                                                                                                                                                SHA-256:A28CE11CFA6608760F22E102423BFCD6AC33B693287C1F15AFBCDABD3EBAAECB
                                                                                                                                                                                                SHA-512:D72DEEC88359E38454FC783B82FF7C36CE0A50FB76DBFB74E469F7BA262457105474E80F9DAA09B04A10CAA70A45860D83926ED80EFCE8D685FE1961599B057C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..............." .....`... ......................................................7M....`...@......@............... ...................................................)..............p...............................................................H............text....W.......`.................. ..`.data........p.......p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):80032
                                                                                                                                                                                                Entropy (8bit):5.840306606911554
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:PH4czT4Vhd+Cv8A/oqZvD2olsyrbktai3zY:PV49+S85qxD2omyr3sE
                                                                                                                                                                                                MD5:A862087E377CB4E1CED00DFA23160CB3
                                                                                                                                                                                                SHA1:65198639EFED63E4EB19839876453E6DC3C1D957
                                                                                                                                                                                                SHA-256:7F450304CD7FF566C745EA2C776160865DB400D42A2EDC206020D8735C7B233F
                                                                                                                                                                                                SHA-512:136ADC24E973984D67227E66FCB6BDB3002C23D9883D20F111D78448B6DCB667DA0A32E30292D669AC55AE35B2106FE754D8C262505AE5EDE9058D750E74B50F
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....S............" ......... ......................................................C.....`...@......@............... ......................................4&..X........(..........p...p...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):743696
                                                                                                                                                                                                Entropy (8bit):6.6621018055827355
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:EwTQLZPFIwJ04TS1jMoubC+hfzF89TwM/BiXtDaCPzFPaOL8j0ecA:TTQd9IwJ0B1jMoubC+hbO9TwM/BiwCPE
                                                                                                                                                                                                MD5:E10561CCC3B6C7D0AC9705A411803DEA
                                                                                                                                                                                                SHA1:558A8054F0ED9F680DD20561FD9811F3C818B716
                                                                                                                                                                                                SHA-256:E5D98E1ABE75C19B49952C9D5D4E28B54D336A73B9C14773FB4E7197BAE00E3A
                                                                                                                                                                                                SHA-512:77C60173B7037A9E3AC714AAF5778281BDC4AFCA9166314051D4784E53000AA33FAE46E90B4DD56701AC8C28558C252E0C04564CB5C8704F09BC6D3F3A732041
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....q..........." .....@...................................................0............`...@......@............... ...........................................X...0...)... ......`<..p...............................................................H............text....<.......@.................. ..`.data........P.......P..............@....reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):30880
                                                                                                                                                                                                Entropy (8bit):4.305226325250858
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:jWe1Wv4QqU2+30cM5YA6VFHRN7kuiHR9z0vD+z/:N03eFClkt9zaD+z/
                                                                                                                                                                                                MD5:F0A9C1F351FD248118EEE637D9B404D6
                                                                                                                                                                                                SHA1:25596AC1293D92EB144261BADFA3E76D51413E65
                                                                                                                                                                                                SHA-256:A3E2FE9700B643FCCCE0628540A846F45714F51A9DA17C0FFE56BDC4C739046F
                                                                                                                                                                                                SHA-512:0F05B14C36907A33A13EAD741F48C6679D06F42D667AA517CB31C8B06642499558D985C2955335CB3F426B63410B84B9E21E27A84546CC6EC8BAE84116058321
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ..... ... ...............................................P.......I....`...@......@............... ..........................................0....P...(...@......0...p...............................................................H............text...1........ .................. ..`.data........0.......0..............@....reloc.......@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Configuration.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):19616
                                                                                                                                                                                                Entropy (8bit):6.475079017005305
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:cMXTSv/fUNRvGZYdf3zyP/we9+uH5WdNWvFYA6VFHRN7Iz8u/6fR9znQQD:fQ9gcFFClIgl9zJ
                                                                                                                                                                                                MD5:CA0B1BEED7162550FB7FA2389A6B94E8
                                                                                                                                                                                                SHA1:11B6A2A0A81A67270A152391D2D8863B42FD388A
                                                                                                                                                                                                SHA-256:D88BB22EC1FF049550D1DD13B8B9C27B094822FBF73D034BDB4F5546F1AEC579
                                                                                                                                                                                                SHA-512:1068AF9F03FB8CAFA236F2D720F5C01C30D90E5B67EA03B54C9C42406B680945A6E808ACC31A57E11F9B788DD007E029CE114A919564E53FC6B9C0B97577C260
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'............." ..0.............v8... ...@....... ...............................i....`.................................!8..O....@...............$...(...`......87..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................U8......H.......P ..h....................6......................................BSJB............v4.0.30319......l...h...#~..........#Strings............#US.........#GUID...........#Blob......................3................................h.................2...%.2.........R.......b.....U.....U.....,.....U.....U.....U.....U...3.U.....U.....U.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Console.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):174240
                                                                                                                                                                                                Entropy (8bit):6.276884758080206
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:ioeEmXYzdfd6+Vfz5mDVVdwF6xARZvcKZzxuR1BB1GwRV:Ve1X4fd6qwVdC6x2ZvcK14B73
                                                                                                                                                                                                MD5:60BE3B0FE0CE54306E547728C541616F
                                                                                                                                                                                                SHA1:505519153734F9B58FB37DC4E86740FF7D057896
                                                                                                                                                                                                SHA-256:577D62369B948EC8DAC8D01403987007EDEF6409A8FAE7DF733FBBC068086A75
                                                                                                                                                                                                SHA-512:AB770C4882396808EA49D216367853D0041A63F20CEE3F6BB64A06417D7A5AF07FC1C19BB60948B04D411D0B27B45B1B3C5C316F1D06E623A34B54E79512D055
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...<r............" .....0...@......................................................H:....`...@......@............... ..................................P....<...........(...p......X...p...........................................................P...H............text...}!.......0.................. ..`.data...."...@...0...@..............@....reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Core.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):23840
                                                                                                                                                                                                Entropy (8bit):6.309945960737407
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:hS9H4Ay0l9Jr3OzFPhoact/iKMePLexkrW1rU1ZXt8+EFWc2WvDcrX6HRN7HVyNf:E9H4Ay0l9Jr34FPhoact/iKMePLAxiA8
                                                                                                                                                                                                MD5:7690C569AA58A3BB3D19D8B45D37DF15
                                                                                                                                                                                                SHA1:EF1D0FC539EC8B943B58C02C7E9B78415BFF599F
                                                                                                                                                                                                SHA-256:3735702159E6D3D1EACA9BB7A9763D1CE58F84A4ED246066EF1780F6AEC67F63
                                                                                                                                                                                                SHA-512:3E9CD45453CA82616BE8FD97092E6741CC2AAE98E0B710282674806D2C9C7E6782F89B580F241D00584173A68642643E64F70AE9FBCD25FAEF3A1D46D3A1393A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ..............................5.....`.................................sH..O....`..4............4.. )...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...4....`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...&...................G......................................BSJB............v4.0.30319......l...<...#~..........#Strings.....$......#US..$......#GUID....$......#Blob......................3......................................................i.......G...........................:.n...J.t.....t...P.................C.....`...............................................).....1.....9.....A.....Q... .Y.....a.....i.....q.....y.....................I.....R.....q...#.z...+.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.Common.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):2861216
                                                                                                                                                                                                Entropy (8bit):6.795350514221502
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:49152:/LlMm2mf+ncGZUm3k+mywJOHPxIyiNMZ62YGkO3egTxiZsc5hBhB0X1v:DOOQZYyZ62YGkO3egTxiZs209
                                                                                                                                                                                                MD5:D9A6328A389DAD8E4A5C9BF9EFD8FA77
                                                                                                                                                                                                SHA1:05C93E421CFA10B7504E867E8EDEB3E68C4EBE8D
                                                                                                                                                                                                SHA-256:1BB6848E76A1AC2966515EE04B80FFF63A1566CC086F267B184040E9F681E808
                                                                                                                                                                                                SHA-512:052CF47E55E025A03E7E0B92FFE49B8131BF7E7A0E46A4244598077601AD01B72D4060A393E8214CC4045435D930F9516B740D0DB666FF1207D7D0E7BCCC50A6
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....a..........." .....@)..0................................................+.....0.+...`...@......@............... ..................................p.............+..(...P+..-.....p...........................................................p...H............text....8)......@)................. ..`.data........P)......P).............@....reloc...-...P+..0...P+.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.DataSetExtensions.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16032
                                                                                                                                                                                                Entropy (8bit):6.654808513658327
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:wowweWm7WviYA6VFHRN7FUe3/6fR9znQfNzn:woEKiFClFUeA9z2
                                                                                                                                                                                                MD5:4F3162B9B035A7B978BC88F73F77A4DD
                                                                                                                                                                                                SHA1:EF3EE0BC3C8525D34FB1B3BC14ED6A11759DAE02
                                                                                                                                                                                                SHA-256:61BD0CBD9C8C85A1B6C783EEBD1568B40923D2EBF4C0967418D6202371CE36ED
                                                                                                                                                                                                SHA-512:CB586CA8F80BC4BF51CC3F032842FE9C0B987BE8742670BAD2C2A549C724B3770761175F3BF088A8C242BF1C37C5302352F9212C4FCACB2F8A8BB0ABDEAD5EA5
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....N..........." ..0..............*... ...@....... ..............................d.....`..................................)..O....@...................(...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................8(......................................BSJB............v4.0.30319......l...0...#~......@...#Strings............#US.........#GUID...........#Blob......................3................................................E.............|...............i.)...'.).....".....)...~.).....).....).....)...e.).....).....E...........v.....v.....v...).v...1.v...9.v...A.v...I.v...Q.v...Y.v...a.v...i.v...q.v...y.v.......:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):25376
                                                                                                                                                                                                Entropy (8bit):6.287661962300747
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384://AAaFiTCmM82SuxDJQE3W8FWvmGX6HRN7FNbZR9zLVq:3paFiTCm0DJQoEmWWFFT9zk
                                                                                                                                                                                                MD5:F6FD1153DDA80799A04EE9351FBC223F
                                                                                                                                                                                                SHA1:107E1B848C215F30569BFBC200637AFAF60D8C06
                                                                                                                                                                                                SHA-256:A4D48F2C0F6C22731A57D1336C82EBDCE6E5BA3EE7E13BFD4893979E53132FE7
                                                                                                                                                                                                SHA-512:1F588633E055FB992DE7B17072A5829E08AEF4A1A0DB6201CC966B7258D342531ABA5A81514BDFA84E41EE0A734848F175064B5C0D2BEC369AA66F9601EB1E09
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A............" ..0..0...........O... ...`....... ..............................,.....`..................................O..O....`..4............:.. )...........N..T............................................ ............... ..H............text..../... ...0.................. ..`.rsrc...4....`.......2..............@..@.reloc...............8..............@..B.................O......H.......P ...-..................HN......................................BSJB............v4.0.30319......l...T...#~...... ...#Strings.....+......#US..+......#GUID....+......#Blob......................3................................<.....H.........~.......................).r.........;.................Y.......................B....._...................#...........................).....1.....9.....A.....Q... .Y.....a.....i.....q.....y.....................R.....[.....z...#.....+.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16648
                                                                                                                                                                                                Entropy (8bit):6.674662538277605
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:HaTGqLWl2Wv4MYA6VFHRN7paxMR9zGV5wwgTp:HaiqeX4MFClpp9zTTp
                                                                                                                                                                                                MD5:9D85EDC5D0EFA8F803820E3D40FCFA23
                                                                                                                                                                                                SHA1:73E9BFB4AC2B7B9424B7DBD5D257DF1E04945A32
                                                                                                                                                                                                SHA-256:560E53DE0E025CDE566C2C30080DA83E3DA28D592D5BCFFBA78CCC6198F2B2A8
                                                                                                                                                                                                SHA-512:BD15EA96737C7AE62C75218BADD5C979656252BC30DE81718EC07A0C177B2A268157A82EEDAB838EA2B4690D8AD609297DC518200F377878DF986BB5910772C1
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]..........."!..0..............+... ........@.. ...............................@....`..................................+..N....@...................)...`.......*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ............................................6...(~s1..(IE.?.>.1..1....~4...#.m..9.5{.....pz.j..eU...~.Lf../W.c.\Sf..].@.O..........x..%......pi..g...z5.+...*.8.HBSJB............v4.0.30319......`.......#~......H...#Strings....4.......#GUID...D.......#Blob......................3......................................Z.........9.........................,...5.............{.........F.............................#.....p.........................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Debug.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16136
                                                                                                                                                                                                Entropy (8bit):6.738272740252956
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:xEKxAG+HWRmWv1pWjA6Kr4PFHnhWgN7acW9aN6AgfcMbnoQNpX01k9z3AZs8g7D9:j4WRmWv1YA6VFHRN74a0/7R9z59DyM
                                                                                                                                                                                                MD5:30BF6C4EF92AED34FC143A9724F3CEDD
                                                                                                                                                                                                SHA1:1BB4BBA6801925D9B9BBD7DBBCCF1A8F522B4087
                                                                                                                                                                                                SHA-256:40E5813EAB9D7FA7A1914DBBD8E452C04F9FF053C5A4E5BE494DC85AC4BD9246
                                                                                                                                                                                                SHA-512:BE5E7104F3635D000D7246832AC54C9E32512DF678CD4B4BAFFE81EE3A1178BCD0028989AF71C2617FCF849A316F67A3F7D790C901B1D35CCBD08F16C24BA592
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...6............." ..0..............*... ...@....... ...................................`..................................*..O....@...................)...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................$)......................................BSJB............v4.0.30319......l...H...#~..........#Strings....<.......#US.@.......#GUID...P.......#Blob......................3..................................................W...R.W...g.D...w...........0.....w.......................>...........................................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>...y.>.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):415904
                                                                                                                                                                                                Entropy (8bit):6.6490929239322965
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:zsUTEcoc/FGzasNt2l4ru2jKw6xtQ7/tvjETqeZ03EdoUj4MKD/6:oUTf/FGGsNtM4q2jStgjH+4Me/6
                                                                                                                                                                                                MD5:19296608F2A3075C08B531122BC525BC
                                                                                                                                                                                                SHA1:1F07C37BAEE61A8C4C7590F35B36721758F08D9A
                                                                                                                                                                                                SHA-256:9A8F55961A23B981F489AE6F7FBC7B5919A60CC181CAAD9B9C248D3E3E542D43
                                                                                                                                                                                                SHA-512:2F4BDE70E85ED6320CE94C5D64DB5247A052992648042785CCCA0A73E186825F98CAC9EB4EA9B126F2DC0A773053F763CC6539D12BC30209AEB65DB6527E7221
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....q..........." .........................................................0............`...@......@............... ...........................................)...0...(... ...... )..p...............................................................H............text............................... ..`.data...............................@....reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):47384
                                                                                                                                                                                                Entropy (8bit):5.385545715496689
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:QMGgXwsP/QEBuk3bqUghjhyCKPivxbzY17tvALj0fjW7F9zC:QCXwsP/QEBuk3bqUghjwCKPipb017tvB
                                                                                                                                                                                                MD5:BA98951D775757104E005E5F4E209C3E
                                                                                                                                                                                                SHA1:6A59BD6130172B72FB97C35CADBD0F5D9E549732
                                                                                                                                                                                                SHA-256:7D3347F76557D5655A5BBDAD0477F5DA12E337FC77E86B1B91E269A3B3A023B5
                                                                                                                                                                                                SHA-512:6D4EF736011D50D140932DD54DC2A5E40C574AFFB9F0FAE202C32C9568CCFFCBC12770ECF33A2A2C3BD76F5238AE360694D5FE44BD993F8A51AF330C0DB7E719
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....J............" .....`... .......................................................)....`...@......@............... ...................................................)......H...`...p...............................................................H............text....X.......`.................. ..`.data........p.......p..............@....reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Process.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):338080
                                                                                                                                                                                                Entropy (8bit):6.5467859190265045
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:KXlZtqaP75HL9eEIdkh+T9jb3b41PlmF6YZTdiX2JWb:KXlZtqweDdmMy8Wb
                                                                                                                                                                                                MD5:A19AEDFEB37A15AFCCE8BCC5D4D78EC3
                                                                                                                                                                                                SHA1:E0805A04BC3F3B6AF99DCB066A49940E64F2F2E7
                                                                                                                                                                                                SHA-256:3468B4717F086423052FCBD305CD3151CC555EF0045B9269D43CCEDCA838E47A
                                                                                                                                                                                                SHA-512:C2D939074F5EA4C28770556CEA5C5DCD2A173BC6D0A0BFBA43A7A29965DCB907B2390C1D0DAF74F07BDBBD572DAEB55A85FA15C87A81730AC84ED151526660EB
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........p.......................................................^....`...@......@............... .......................................w...".......(...........%..p...............................................................H............text...+s.......................... ..`.data....S.......`..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):47264
                                                                                                                                                                                                Entropy (8bit):5.383416201972765
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:NB+D3qmLYSzA+DUnFT08vkFY4mPFsNEFClDm9zw:NzmLYSz1DUnFvc64miNwiDyzw
                                                                                                                                                                                                MD5:1E16A3F143BBC16769EDB8E90FEF330B
                                                                                                                                                                                                SHA1:CAE5E3C1186E4C6631FA3A607FB09627E60CA6E2
                                                                                                                                                                                                SHA-256:D10AB35B57C343C006F982473D98ED2D2125D6D311B131390113011BC96D820E
                                                                                                                                                                                                SHA-512:05A5FE0E8488D28A691824119F0B3FA03D493D91CEBED9977112A40C1BE7AB69E34ADCD49595386F231CBF756AA2CE0469867FD398642AB107B3D6449A6B9A99
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...=............." .....`... ......................................................0.....`...@......@............... ..........................................8........(..............p...............................................................H............text....V.......`.................. ..`.data........p.......p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):67848
                                                                                                                                                                                                Entropy (8bit):6.069064583177759
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:2jOHMffs25VU9QbAoqxfxGSC0e+LRnugRxFjyGw3/slSdoF31s7YiNZ/OSkk9ZP+:2lM2EoLmpsFZZwiMzQQ
                                                                                                                                                                                                MD5:7C78865F32AED5CB2BED0B3240AEC113
                                                                                                                                                                                                SHA1:4CCBE9AFF7D5D86D401981106C5A85FDAB5DC5FE
                                                                                                                                                                                                SHA-256:5468BBB816B4A21AF610388C9AA8CC2DF47A581E9AEBF81EEA985C8D1EEA80B1
                                                                                                                                                                                                SHA-512:25C7070CEB9CC1BD3815C497E4012FB951D989592D39021E7381DE93D884467A63673459CD302513C086A8088BCD6D8355E0986582844083283645FD9CC952B8
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......... ............................................................`...@......@............... ..................................0...4(...........)......0.......p...........................................................0...H............text............................... ..`.data...............................@....reloc..0...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tools.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15648
                                                                                                                                                                                                Entropy (8bit):6.812729868383133
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:aATqxAOjfFWhUWv8VWxNzx95jmHnhWgN7agWCvwKDUX01k9z3AWipfx:awwBWhUWv82X6HRN7UpR9zvox
                                                                                                                                                                                                MD5:6E5EF37CC93928F186A03F70E18D2E06
                                                                                                                                                                                                SHA1:45415524ADDEF2322609C9A99B661711D4D83AF0
                                                                                                                                                                                                SHA-256:8C6B948D52A18E77B796E5AE43139E155E52362075B9D3F94929BD2E1C20D3C0
                                                                                                                                                                                                SHA-512:4C777BE5C8F211F448364A007BB28A45F8575B03D42B0CCAE057F0EB0EB9204CE2681AA0EDAA1A46D441B072F8188BC6361D85BF0D32A843D0F883065576D681
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...et..........." ..0..............)... ...@....... ....................................`.................................Q)..O....@.................. )...`......`(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..(.......#Strings............#US.........#GUID...........#Blob......................3................................................F.h.....h.....U.................%...(.%...........%.....%.....%.....%.....%...f.%.....%.................O.....O.....O...).O...1.O...9.O...A.O...I.O...Q.O...Y.O...a.O...i.O...q.O...y.O.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):145680
                                                                                                                                                                                                Entropy (8bit):6.213889260140082
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:HXvuCBgDTeY0dpwQn60x7cftbgZyeI7XT5DFEj3C:xBgOY6aQn60x7cftbgfalCjy
                                                                                                                                                                                                MD5:B5B5534716E8115775DAE499811D0AA4
                                                                                                                                                                                                SHA1:A34F5CB79DCA9F2821E276979A72BE3A093764CA
                                                                                                                                                                                                SHA-256:0F2701EA7067203F84D6E8D3E5E6D45C00434B41175C3CF4F7ADD5B17D7F437A
                                                                                                                                                                                                SHA-512:BDBBAD128B3464B3C80C777560BA53E3297145309F53778D12A9285D469B4D79216F9BE07096F8F884251BBFA91274944F4E6E2345FE92A274F526013F637E75
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........0......................................................:p....`...@......@............... .......................................B...........)......|.......p...............................................................H............text...g........................... ..`.data............ ..................@....reloc..|...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16656
                                                                                                                                                                                                Entropy (8bit):6.729692051834912
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:IK6DDj+yVx/bWXDWv1pWjA6Kr4PFHnhWgN7agWz3KDUX01k9z3AWipv0t:I5+yfzWXDWv1YA6VFHRN7IpR9zv82
                                                                                                                                                                                                MD5:AF34F0A70120DD8DB41F8DEC70280B5E
                                                                                                                                                                                                SHA1:3C568BF4CA5D852279C54F93350385BEE5666529
                                                                                                                                                                                                SHA-256:F0B69FBDB0540A52A66E7A7B5C11476E29FB9ADEB2DC7D5FF88EA12D36843D5B
                                                                                                                                                                                                SHA-512:54B6A9549E13BC52CFFE199FD07D9C57EBB2F3BE4C8000FC8DC2B9D824F527379697DBB41B8371562C55082C6E0B0EFD9ACFB375AD45964A4E8C25A46834A854
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0.............n-... ........@.. ..............................x,....`..................................-..Z....@...................)...`.......,..T............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P-......H........ ..H...................P ..........................................`j..@.e..R]?..m$...|j....3.m.~....&....fG.....UW...q.....4z...`.(.W_N.3.6.....#.'Q...}iG...............%JB}K...~..Y..BSJB............v4.0.30319......`...x...#~..........#Strings............#GUID...........#Blob......................3................................ .....................O.......................c....._...........}...........6...........B...........................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.Primitives.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):133392
                                                                                                                                                                                                Entropy (8bit):6.080206645595261
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:LQz5724yeP4Sy2vmH00N6no5WkCIJJoRc0onc:y57O6mpMSoZB
                                                                                                                                                                                                MD5:4E55F8E2CD309634892AC4E34D78D1C7
                                                                                                                                                                                                SHA1:B96BF1860E415BDB99BCD94AF0973F31D0CCAD7A
                                                                                                                                                                                                SHA-256:E8A06462CDFB428C9ACFC5ACA4BB97AB6D2C715E8029A6CD8FD5760F831A3D92
                                                                                                                                                                                                SHA-512:C4F154AFA33991A3F2494F92AE0A0F2866A21C55DBC86DFD789DB143A72C241589553E433B8C86B8EBC2FDA8A756E20AE4BD59FE368200A5F094C29208DC81F9
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....D..........." .........0......................................................Rn....`...@......@............... .......................................-...........)......<...@...p...............................................................H............text............................... ..`.data............ ..................@....reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):20640
                                                                                                                                                                                                Entropy (8bit):6.413981063303908
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:gTiP7uC8MYITetXBVviWTtWvOYA6VFHRN7hUKHR9z0Cn:gWu38OFCl/9zHn
                                                                                                                                                                                                MD5:CB49C95C0AF242456AD9607D21DE9273
                                                                                                                                                                                                SHA1:348DB802F73E1634072915844A523CFD2D028B82
                                                                                                                                                                                                SHA-256:3FAC9CF2FF6135B1FC90DB8A2C83E9B45F77E21B9B59C7CDB4A7C2EE86F9E127
                                                                                                                                                                                                SHA-512:1B72108AC26473B429F7450ABF9008C2BD1DBF42A826F1CD04F8FEF965D548BCFD82E23AB5DE25B5EA542C82150977E70793CD5BDB561CB0309E99988DCA1336
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............^=... ...@....... ....................................`..................................=..O....@..T............(...(...`......,<..T............................................ ............... ..H............text...d.... ...................... ..`.rsrc...T....@....... ..............@..@.reloc.......`.......&..............@..B................==......H.......P ..\....................;......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3................................................s.#...C.#...~.....C...........d.`...U.`.........*.`.....`...!.`.....`.....`.....`.....`.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Dynamic.Runtime.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16648
                                                                                                                                                                                                Entropy (8bit):6.6812317734380064
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:lmh7op9/MWbCWvCYA6VFHRN75l3VXC4deR9zVjTTC:lm5op9ZjCFClnVXC4dC9zVjTG
                                                                                                                                                                                                MD5:6DD949F6AA63BB8FE19BBF6B6B076083
                                                                                                                                                                                                SHA1:FAD97047B28D631D1DDBFE4DA79E2D4E624FDFAA
                                                                                                                                                                                                SHA-256:45886BE34B3B81717B4913564361B12D7AE3B9926BC85F80DF64026C4EE9B4D7
                                                                                                                                                                                                SHA-512:B62404B9AF3077DF8318E3CF8C7D9A3E97070EAAD07F5F6AB3E9E7C8F1763C14966298B7ABC41BE0AD96A07E3DCA2B2620C234ECFEEC6E020762CFCF6156FE4E
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z............" ..0..............,... ...@....... ....................................`.................................a,..O....@...................)...`......t+..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~......h...#Strings............#US.........#GUID...$.......#Blob......................3......................................&.........W.............................j.Z...9.Z.....A.....Z.....Z.....Z.....Z.....Z...w.Z.....Z.....#...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Asn1.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):243872
                                                                                                                                                                                                Entropy (8bit):6.50591783119501
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:mfSRUsXJHsqVpPq+Pu1Nr7tXAjsEpN0Qif+j7kgiuG4krZAuZAt0/+JvyQ4UjIPl:27s5Hsq7Pq+67qjhp+QifuvtzJ4TwM
                                                                                                                                                                                                MD5:2AB51F750E3B9C69CC2EBC9ABE2EF369
                                                                                                                                                                                                SHA1:3D19ABE16F55A9366780C2056210B87E9A78838D
                                                                                                                                                                                                SHA-256:D563C1EAF08DFDA8FD1860BF00FCAB903C85C91A299379D6EF73C3AECA2B7A9A
                                                                                                                                                                                                SHA-512:13633EDFE2C14117BB77AC7D94D3A2E27C19660F73A8E751F9D73B75C6AACD066954E7EBCD7B11F39A627EA9FD2F2B3455FF90947156AAA1DC664D5387699947
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....@...@......................................................d.....`...@......@............... .......................................P...........(......h.... ..p...............................................................H............text....=.......@.................. ..`.data....*...P...0...P..............@....reloc..h...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Tar.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):272544
                                                                                                                                                                                                Entropy (8bit):6.50562073982023
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:9q6gkJLdnAwEqvTlz1aYqsOMBFK0rkir51KYb8FK3MEIS3PQnZg28aq/xv642ucw:0dkJLN5EqvpzTC01anZ0/H2NfFgzFIS
                                                                                                                                                                                                MD5:3D7131BF95378643004211E17DF764AC
                                                                                                                                                                                                SHA1:5A4C0F7C5AE61FED16345B693E5CEFE2C3CB728C
                                                                                                                                                                                                SHA-256:B649BBE057F0C5B5EEFEF65087AFB3EA54EE2DBDE1BB03C532A0D894E783C031
                                                                                                                                                                                                SHA-512:1C730C3BD483223D0B8E622EE649C838F0DA6F97E25F5050F9A629A1B0271A8B8E10741D101A5A0645D7C4166E2FD7F53982506EBF10A4A17F7EC65A6394317C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...P............." .........p......................................................v'....`...@......@............... ..................................p....f...........(......L....%..p...........................................................p...H............text....|.......................... ..`.data....V.......`..................@....reloc..L...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Calendars.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16032
                                                                                                                                                                                                Entropy (8bit):6.74478738201605
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:geMRqXWDRquRqm0Rq7Wv0YA6VFHRN7utHNsAR9zF09RGZ1:/GqKq0qmuqK0FClMts89zm9RG7
                                                                                                                                                                                                MD5:8E55387B87036298850351AB1C4E6473
                                                                                                                                                                                                SHA1:F17FF8CD1DF79360702FD7EC6B14F4E5351B9653
                                                                                                                                                                                                SHA-256:B6B0E4CFAA7C085A4854B80327052A0ADA77CBD8D6242C73316AFF391A14EE56
                                                                                                                                                                                                SHA-512:8EF76D0448570A217BFCFEF2185E1A910386285FC3F640E2BE9337289D5CE46DC23BE15F2F453DCB49F1EC3EE8FA56F0009AC1AB1848B3727B23F3CAF8368C70
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7............" ..0.............:+... ...@....... ..............................z~....`..................................*..O....@...................(...`.......)..T............................................ ............... ..H............text...@.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ......................h)......................................BSJB............v4.0.30319......l...p...#~..........#Strings....|.......#US.........#GUID...........#Blob......................3..................................................;...x.;...3.(...[.....^.................I....._.................w.................G..................."....."....."...)."...1."...9."...A."...I."...Q."...Y."...a."...i."...q."...y.".......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Extensions.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15648
                                                                                                                                                                                                Entropy (8bit):6.828509514457341
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:icRPWYRZRp0RjWvUfX6HRN7UJRFDR9zzKKDmP:iWNvpuiUfWCzl9zs
                                                                                                                                                                                                MD5:7BE96ACC4C7DD6DAF7D374CD907E9E69
                                                                                                                                                                                                SHA1:32A66E89D313C03054DB64C0E2817B377D395B88
                                                                                                                                                                                                SHA-256:41D02C060070592CB1E75C25E1F052823DE17DE692F65C53A0050E292156B4C8
                                                                                                                                                                                                SHA-512:2891F08E8CA1321E555841CA8C8A831CB4C1090DEF9FCDDFFA5973E2FFBA3694C53F52861F92D41C146A51F3FE1EA96FED99609C84A35C8378AFE8D4B7630B00
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;............" ..0..............)... ...@....... ....................................`.................................k)..O....@.................. )...`......l(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..4.......#Strings............#US.........#GUID...........#Blob......................3..................................................8...x.8...3.%...X.....^.................I....._.................w.................G...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16160
                                                                                                                                                                                                Entropy (8bit):6.70432965142328
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:rWQRLWdRoRA0RHWvFSX6HRN72OFDR9zzKUVx:rWi06AuGFaW2Gl9zDx
                                                                                                                                                                                                MD5:202E1D4882ADC18706D82E39A66BC8B1
                                                                                                                                                                                                SHA1:C9CF5CF0AE8377E7D19FFBAF194127F7937B6CEB
                                                                                                                                                                                                SHA-256:AF0431593029BE941368EEB132DC9BDD8666A1E4735E5F7209B2B998A50B25AF
                                                                                                                                                                                                SHA-512:EDAFA2FF6BB5E229FD3CD44B0AC3E65F021C0BE53B98D5EBCD0E4E4691369B9AA0055BF3769E45CC7700B81E7C4FD51492B4C2E949B99FDC98DF975F32E90684
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0.............v*... ...@....... ..............................ka....`.................................!*..O....@.................. )...`......8)..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................U*......H.......P ..h....................(......................................BSJB............v4.0.30319......l...T...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................D...........o.....*...........Z.....p.....?.......................&.....X...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Brotli.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):84128
                                                                                                                                                                                                Entropy (8bit):5.872675308344579
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:TqgxVcA9+/PACL3jTuDw9wbnEiZE+eU6p3ikzg1O:Tqg/f+3AiXu8ebnu+P6N/8s
                                                                                                                                                                                                MD5:4528413D622621E35856F07EA263CD1B
                                                                                                                                                                                                SHA1:5BB25492DD02CC7E9490CF6CFBCF28A248636DD4
                                                                                                                                                                                                SHA-256:A298995294C59D04947F91290FB7030ACDC4DB3C5B6B1981FBC8C0136CD1B25C
                                                                                                                                                                                                SHA-512:4CF1CB3A615C431080842CDB5BF3E3C322737BDC6719AC061898ADCF38E47E1A24C0B72238E30BAD0BABC91DFCC7F6BA5148195E1D43A3CC595E1CBC5D93EEE0
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...:+>..........." .........0............................................... ......d,....`...@......@............... ......................................t(..L.... ...(..........8...p...............................................................H............text............................... ..`.data............ ..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.FileSystem.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15520
                                                                                                                                                                                                Entropy (8bit):6.736585195684987
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:YfFQWJmWvMYA6VFHRN7YgJtHNsAR9zF0TYZbv:6FHHMFClLts89zmTM
                                                                                                                                                                                                MD5:80BCD0CC0FED45B44F8AE08E6C55ABE4
                                                                                                                                                                                                SHA1:21C2FFCC9848ACC81BAF04B7BAC62978549E1D87
                                                                                                                                                                                                SHA-256:1F3F7EB23DE0768F8BBE4F043EC8818E42AD66D7438A60991B2CED69F67A94F5
                                                                                                                                                                                                SHA-512:394EF89DFFC287C0CF2E9BC76A4D88AF4277DD0B34CABFC8BE9747F79A6BFECD69F8A56EF3D5B17D64C9B1AD291C9681260B5D4B5FAD4497CE691F565BA04FA5
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............)... ...@....... ....................................`..................................(..O....@...................(...`.......'..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3..................................................U.....U...Q.B...u.....|.....7.*.....*...g.....}.*...L.*.....*.....*.....*...3.*...e.*.................<.....<.....<...).<...1.<...9.<...A.<...I.<...Q.<...Y.<...a.<...i.<...q.<...y.<.......C.....L.....k...#.t...+.....+.....3.....;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Native.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):831240
                                                                                                                                                                                                Entropy (8bit):6.118745272820205
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:cAw//Ot2fD+T5pdHnbAHhlyZ8OXTw05nmZfRTlnL:cAw/D+ZbAPlAmZfRJnL
                                                                                                                                                                                                MD5:80F809C49EF92211D8D604ACDE19B734
                                                                                                                                                                                                SHA1:FE38C548F62C9686451D7ED3BB56AD0C4014E097
                                                                                                                                                                                                SHA-256:6E9365E60F9060B3E492F489E1C13EC07BD1F368FFCC5BA24D98530BDCD2D468
                                                                                                                                                                                                SHA-512:303A5C5C8DB412A93BCB933A63733C532A23A2207531D2460670BBB125042985ABAAD7BADE42F8C88E835DD74895AF7B75AF5930EF623A285EB14EED869BDCA2
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j..u..&..&..&.q.'&.&.q.'$.&.q.'..&'..&".&e..'-.&..&o.&>v.'..&>v.'/.&>v}&/.&>v.'/.&Rich..&........................PE..d.....f.........." ...(............P................................................I....`A.........................................^.......`..x...............d........)..........0,..p............................*..@............................................text............................... ..`.rdata..Lg.......h..................@..@.data...l....p.......\..............@....pdata..d............`..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):55456
                                                                                                                                                                                                Entropy (8bit):5.787077196786641
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:RZtyjfZsPdcoZZtWjbOQSW3sfy91AxQSvv3XvPHlfe2FCl1DuO9zr:RX0s1dZ4jNSW3s6cQSvv3XvPHBBi9zr
                                                                                                                                                                                                MD5:FB43BE837BF3B54DAA6CA9DBB875AABC
                                                                                                                                                                                                SHA1:D891C123A71A6C458DAE3BFBCADF0CB6D4472F06
                                                                                                                                                                                                SHA-256:1729EE8E1CF5FC6EF86CF9AEF5BD2F689C0AEA02055963BEFE23ABE4C49F701C
                                                                                                                                                                                                SHA-512:F949B1C09F7A6521282EDC49EF1162046F8E6F33298C4B6ADD25B3B0A9ECD646270DD60865C7CCE882FAD2E0DDF81300874B410AC246BF5995E50732BA5DB755
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....p..........." ......... .......................................................\....`...@......@............... .......................................!...........(..............p...............................................................H............text...(y.......................... ..`.data...A...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):264472
                                                                                                                                                                                                Entropy (8bit):6.565006382155934
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:B14BmTBMCV3tgcWf/e9wYxn1Wc/od4pFFm4n2C:/GCV3CfqpFFgC
                                                                                                                                                                                                MD5:DB981290B935938AA7FCD85B332E370F
                                                                                                                                                                                                SHA1:21E754B0DBBC323F6444D38E551AD4237C1E3CF5
                                                                                                                                                                                                SHA-256:D57CFCF89FDFAFC8B5F86B7DA586B72AFF6B1997AE7896A17323993BF1741389
                                                                                                                                                                                                SHA-512:45EE7D549EAC2990B17F15AA326DF1CAC57825C5E5EA2E1F854C9EED352FA03102687FD8FAC041F2CBCCAC4CD690EBF609B7AC4EEF5F97859079974BEA20DF02
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.... 8..........." .........P.......................................................K....`...@......@............... .......................................f...........)..........X%..p...............................................................H............text...5........................... ..`.data...2;.......@..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.AccessControl.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):104608
                                                                                                                                                                                                Entropy (8bit):6.03720418323957
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:eE8AlMvSLSjaab0PihEzfQHl9I+CAvpYhLKPyf9DKiVzm4G:eEjGKWKAuf+af9DKCy
                                                                                                                                                                                                MD5:3760E66ADE87F95A0AF203D73335570E
                                                                                                                                                                                                SHA1:81D2896860642BFD22384D01F3EAAC123BA8E8BC
                                                                                                                                                                                                SHA-256:3F9B710E88C21089D7D7ED538B4612527A2BC5C160A41C148B872A8C84FBA756
                                                                                                                                                                                                SHA-512:79AE5F2801E2498EF13C756F4CA3162F612146D5875081D85EB94EAAE15339F3D20E208E2803DEFD42C6917ED7E7F3B1606D7EAD04035007BA77FA9068BFE405
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....%i..........." .....0...0...............................................p.......@....`...@......@............... ......................................H-.......p...(...`......x...p...............................................................H............text...{ .......0.................. ..`.data........@... ...@..............@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):55568
                                                                                                                                                                                                Entropy (8bit):5.419488526897619
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:+TUsLf/NM8/u0koRo21g1PCYh0UskMFClYRFT9zQ:+QmNMH0ko71g1aYOUskIiSTzQ
                                                                                                                                                                                                MD5:7815CF4E3103FB75B16B322B82CA0A92
                                                                                                                                                                                                SHA1:1904D409EF775FECBFD81195B44F85BFDD097AC7
                                                                                                                                                                                                SHA-256:EC73EF6B6BE1C451C5222C593E7178DAD79C8E61292BFBE44CD1292D5BF6D9BC
                                                                                                                                                                                                SHA-512:E6900B2B1A2D6BEA175DA8D2453BBDC6432E20EE28CEA1156B1644CD02945B3886337C620C9EEA9A6FCEA7EAA68F23CC46E3D70BF9641DAA1F6393A8308A1D7B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...}.<..........." ......... ............................................................`...@......@............... ...................................................)..........X...p...............................................................H............text....p.......................... ..`.data...E...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15632
                                                                                                                                                                                                Entropy (8bit):6.823933557530997
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:Z1PXcWQqWvxYA6VFHRN7bih7RxB+R9z0o:Z1PW7xFClG7Rxw9zf
                                                                                                                                                                                                MD5:0D8AAF01FC45951BFFF5FE30ED082863
                                                                                                                                                                                                SHA1:DC29F5AA8215EB09E48953871554BDDA54F1540B
                                                                                                                                                                                                SHA-256:57304750022F054C5AA0097450C54D20484BF3AA564BCB1E97847FBF6C2E1E21
                                                                                                                                                                                                SHA-512:04886F62BC6656B18F2CD7077EEFABEE2A8F64953CA37E71BAA758D57D8375DE7A91C56E3E3E7B8B41643A5CC0568982E0AFDB4875B4FCE53C2625B4E7C204E6
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....t............" ..0..............)... ...@....... ....................................`.................................g)..O....@...................)...`......h(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..D.......#Strings............#US.........#GUID...........#Blob......................3................................................!.2.....2..._.....R...........E...........u...........Z.......................A.....s...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):88336
                                                                                                                                                                                                Entropy (8bit):5.879093770998518
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:1fNv1C2lUQAOT1sJu0Z33qpE3JZr4GBo333333333333AQ3Hkkk33kLHtSaiOpTe:11dVl5Apu0ZqpmDr4G6333333333333g
                                                                                                                                                                                                MD5:401E2BCACEA756C5452E02FB3BDF39A1
                                                                                                                                                                                                SHA1:E4EFD4116196365376EC8082E16DE95B6FA7BD7D
                                                                                                                                                                                                SHA-256:61865DD41C1516623E403109118DDFA7645FD95121CBAC0583BA1CA2D541E556
                                                                                                                                                                                                SHA-512:0BB32643A9D86D047EF359D91C60634823F7220473C53CA22AE9A92B6A68A60CA60C383290846107828EC39CA52A16566A3879A3047211AFC0D7E5466F1A19A0
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....r..........." .........0...............................................0............`...@......@............... ......................................h).......0...)... ......X...p...............................................................H............text............................... ..`.data............ ..................@....reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16032
                                                                                                                                                                                                Entropy (8bit):6.713782816724895
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:yzRHy1MW92WvNYA6VFHRN7hUtHNsAR9zF06Im:yzRS13XNFClMts89zm6J
                                                                                                                                                                                                MD5:14C84085F431CE7FBA0F91AEC4448847
                                                                                                                                                                                                SHA1:97FADEBD3354FFCCBE81BF2B0B29F7FEC60AFAC1
                                                                                                                                                                                                SHA-256:432AB703B7DFA567EC4E9C4717DFD2B9BB0EC8F373DBDA0771C10A5897E08D9D
                                                                                                                                                                                                SHA-512:5CA5F10ECBC7575F6C022BB1B45498F0F8D0417CB5CF4B5F647971C439E216FFA51526BCFA2FB39997D3C01F0F129228A2A3401C164AD756D1F1D807D1BD112B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Xmn..........." ..0..............+... ...@....... ..............................._....`..................................*..O....@...................(...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................L)......................................BSJB............v4.0.30319......l.......#~......p...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3....................................../.........h...................................J.......a...............-.............................../...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):92440
                                                                                                                                                                                                Entropy (8bit):5.817248773055368
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:0fohJcqhNwo3SjZw4gGv7+J+lNxhh5h+WcziX:0Ancqhio3SjZw4gGD+J+lNxb+ze
                                                                                                                                                                                                MD5:65C30C4B56E172195C803385B3542743
                                                                                                                                                                                                SHA1:9DA75B8C3CB5C87EEB1E2A99589B11F048A8073A
                                                                                                                                                                                                SHA-256:A3FE636D2E150BBA7692E47E891E5E81501060D3E136CC7DF45AEC21429B202B
                                                                                                                                                                                                SHA-512:C3ECF3DFA558872A5352FC829A644B7E67561F2A96B99A5A027F9C972398EDD47BEE91CF2E4973334B31470C51B296DAA73B1C5BF94340A27446B55DF8EBB2A4
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...?sE..........." .........0...............................................@............`...@......@............... .......................................*.......@...)...0..........p...............................................................H............text...]........................... ..`.data............ ..................@....reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):84128
                                                                                                                                                                                                Entropy (8bit):5.795749731518867
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:yIx5ebzfb/qs7in9eq7Zb8GJZe/c9G97kA6tirmVzO:yIxeD/q99vb8G2/e6kA8L6
                                                                                                                                                                                                MD5:55BB40A1BC70FA96FBCD33B65AEB709E
                                                                                                                                                                                                SHA1:E34EBB648AC89C41C8F53E6831E3B707096F8004
                                                                                                                                                                                                SHA-256:2A5CE27B0E82264E6FA09504680B32B0014BE188FEF4AEDFE86D3392C3190477
                                                                                                                                                                                                SHA-512:D0349F16BFAD2BB35738ABDB336C9B852A1316EFFF11095BF219753A61AEB926F620A928321FFB97B2E24CA7DBEFCF6592A516636C2DF2638572C2B364CE3D42
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....b..........." .........0............................................... ......B.....`...@......@............... .......................................%..|.... ...(......<.......p...............................................................H............text............................... ..`.data...`........ ..................@....reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.AccessControl.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16672
                                                                                                                                                                                                Entropy (8bit):6.749834751700326
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:cARUY7xW2WGPWv7srWxNzx95jmHnhWgN7agWYLrp0KBQfX01k9z3AlC+1ZIVpdt:cYdVfWGPWv7jX6HRN7XRxB+R9z0DZIL
                                                                                                                                                                                                MD5:AD19CF1AEE37E575B7417387272ACFDB
                                                                                                                                                                                                SHA1:A268235CD212375CDB20176B499AA154EF3FB145
                                                                                                                                                                                                SHA-256:E7DB86F2176EC876DE7AF4BECD8B7C4EEA60E133F4866FC014403F318928CD24
                                                                                                                                                                                                SHA-512:F9D853ECC9ABF4D505794C1E41AE9C0D25078ADE7B861F86E69E4D6D0C586CE0B7AD5168F172DE2C9C901BF3EB76B98EBCC7C92D5920814D19396BDEAD8BE51B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.y..........."!..0..............,... ........@.. ....................................`.................................c,..X....@.................. )...`......\+..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........"..t...........P ......h"...........................................<linker>.. <assembly fullname="System.IO.Pipes.AccessControl" feature="System.Resources.UseSystemResourceKeys" featurevalue="true">.. System.Resources.UseSystemResourceKeys removes resource strings and instead uses the resource key as the exception message -->.. <resource name="FxResources.System.IO.Pipes.AccessControl.SR.resources" action="remove" />.. <type fullname="System.SR">..

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):166048
                                                                                                                                                                                                Entropy (8bit):6.346422693533479
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:oqlaVz+We9hgsXZyPTA8pLtx1k82pq1L8p9X8f/F:tAVzeosXZf8pL0p9X8fd
                                                                                                                                                                                                MD5:E6115534751BE304966019E057F40DE2
                                                                                                                                                                                                SHA1:671416A123E8ED8243A0F352520CDB25D999AB17
                                                                                                                                                                                                SHA-256:7C2A4EAD45C9BACD5AE24BDF7C1D2481F1A06F75088E7F884974AA0257E798FA
                                                                                                                                                                                                SHA-512:B8834D7F4CA23F4954C0D2FF351215FD522F53055A9751EE4CEA5F965B169A29EADCA7E9376A0F24B2AAB0A72D8C5286032AA42C4958A98B0FBADB776523A341
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...m+............" .........@...............................................`............`...@......@............... ..................................P...t@..X....`...(...P......@...p...........................................................P...H............text............................... ..`.data...6/... ...0... ..............@....reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15632
                                                                                                                                                                                                Entropy (8bit):6.8277201917102674
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:H9jw4pWw+WvLYA6VFHRN7htvR2IR9zXRq:H9jw4dPLFClhtvgU9zw
                                                                                                                                                                                                MD5:DEB54D7C28DC4BAF320D8E762CD3906D
                                                                                                                                                                                                SHA1:28D9096B448B0C8611302D7E27A6667050252682
                                                                                                                                                                                                SHA-256:7800B0FD6AAC7979CAC550E1BAAE3AFAC15CFA8081FC186B27553BF7CBA7A0A3
                                                                                                                                                                                                SHA-512:F748B155577DCEE8141C15E0684EF79FD6197891B5B1215074EFA7299539A38F7AD54EA97AFAB41F4DC42AC0F8904F36BE791494EFBF4E0EE0D1257185B2A538
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............)... ...@....... ...............................u....`..................................)..O....@...................)...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..D.......#Strings............#US.........#GUID...(.......#Blob......................3................................................$...........=.n.........h.....#.>.....>...x.7.................>...].>.....>.....>.....>...D.>...Q.>.................h.....h.....h...).h...1.h...9.h...A.h...Q.h. .Y.h...a.h...i.h...q.h...y.h.....h.....h.......................#.....+.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16032
                                                                                                                                                                                                Entropy (8bit):6.665072159776856
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:OzN83OxAhRo4HWabWvFpWjA6Kr4PFHnhWgN7akW2huxu3O6YX01k9z3AneMC:SN8302oCWabWvFYA6VFHRN7pyR9zKeN
                                                                                                                                                                                                MD5:79563DE651295283F15CA4BCE8E98841
                                                                                                                                                                                                SHA1:4D6ACA5801A92B02BBA687F7B6BC7E6EC59FDE13
                                                                                                                                                                                                SHA-256:A58420178170177F772551C4AA7E4807B2672A8655F828600D47A3958CC40F7C
                                                                                                                                                                                                SHA-512:77CD8D3D9A1AE5DE6A1A49C114FF4316C02E1F696430DE173D89632F96B958CB9B9010DE7B89930E15D177A5BE6E470D358B6330A968EA8ECADA44F7F43225CC
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'............" ..0..............*... ...@....... ..............................YU....`.................................7*..O....@..$................(...`......d)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B................k*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID... ...t...#Blob......................3............................................................=...........h.....#...........S.....i.....8.............................Q...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Expressions.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):3676336
                                                                                                                                                                                                Entropy (8bit):6.684594575848001
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:49152:h6S6FKfOBPKD5EUsp4Zq2daW7L2+K06Fs4sZ39SuMsFIW/pR:HOBiOmbp8uMsFIW/pR
                                                                                                                                                                                                MD5:C3C16C39F19ED16A1AB42EF8DE7AE641
                                                                                                                                                                                                SHA1:F072B19500679A70D1D6DD113B55921C6F963CBA
                                                                                                                                                                                                SHA-256:10E4BC750F17578252293AAF7192E24E72A330D3EDC0146BE9245E9586CAC19D
                                                                                                                                                                                                SHA-512:89307D4FDCF1DE91C6A0DD8C0807E56863856B803322C33AA845D90C0EEB6988F97ED70CA2754601FB61A739C0C364F2D8ADC7A28869F4921D6D5CF358FB0D2C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....y............" .....P1...................................................7.......8...`...@......@............... ..........................................`.....7..(....7.,f...b..p...............................................................H............text...dK1......P1................. ..`.data........`1.. ...`1.............@....reloc..,f....7..p....7.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Parallel.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):805152
                                                                                                                                                                                                Entropy (8bit):6.7416805748123725
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:nbwydNnBKT9DzuU4/sKE5QmSfc+1yQgdY5wDG00eK0CszcyYl:nbzpKT9PuO5QmaryQgdYai0ZK03k
                                                                                                                                                                                                MD5:19464109760AF17AE6CD8DBA5D222722
                                                                                                                                                                                                SHA1:9DA4FA8D3C740182134C3D2B2977DCF0E0FAB669
                                                                                                                                                                                                SHA-256:A4E353C60F26EAC3140F493C270320302BFB2E5FFCC1D4131682EA3E4C02D244
                                                                                                                                                                                                SHA-512:47397137669BAB558BBFDB42B9AABC24A6301F8671253B0BC4632A975AD4AA0BAB87C9472AB4553A526132634CCD93A88BC09C4B8353E7FAB14DE0E2F498B7AD
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................... ......i{....`...@......@............... ......................................p....d... .. )......T.......p...............................................................H............text............................... ..`.data....U.......`..................@....reloc..T........ ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Queryable.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):174352
                                                                                                                                                                                                Entropy (8bit):6.296291995805638
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:i3adgejQmgA0o3eXZI6e07fww49JKotL3aZv0Tl:EadgQuA0/pI6eufww49F3aJ0J
                                                                                                                                                                                                MD5:B58CC7032740F5EEC429E8414737B9EC
                                                                                                                                                                                                SHA1:A18595EAD4A4F6ACE6F03B94248ED8E1BC1E599C
                                                                                                                                                                                                SHA-256:59656C67991255D19B868DC1F48D1AD10BC8D8B6C667F792C2C9AFFBF69E47EF
                                                                                                                                                                                                SHA-512:4382B3227139F6D15CBC4E2E25D4DB33B591FCC56E28E4B02D1FFD91F485CE908F0FCA236ED214B974483D856B92F348C48A06A7C1036CCB716DD20E7E69DCCD
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........p............................................................`...@......@............... .......................................+...........)...p..........p...............................................................H............text............................... ..`.data....V.......`..................@....reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):542880
                                                                                                                                                                                                Entropy (8bit):6.739097833229294
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:fFcC4bb3czSgsrusOv38qA0s4WfufbFHJMb3xqHYYzLhMxjCUoTclQ:K7b38crusO/yEvuhsSWmQ
                                                                                                                                                                                                MD5:DDF4958F47A5D0A7ED06832880DA1BFE
                                                                                                                                                                                                SHA1:40FA6F2D97DE7504770B37153F4EEBF79A069535
                                                                                                                                                                                                SHA-256:BDCF09BBA6A4DE7D73FEAA0DBA8802BE86738B3DE4E3E8D0EC79E2809F0F7E17
                                                                                                                                                                                                SHA-512:1D54CA464CFD1ADB8B78C1226954F2C4FB66EC3CB51980BDE613A25A18A938BB536C7C6695CAF139EAE1F8A15AAB33B53B0BF9D1DC9BFDA948007BD6DE3EC0F2
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...uWB..........." .....@................................................... ......|4....`...@......@............... ..................................0........J... ...(......H.......p...........................................................0...H............text....1.......@.................. ..`.data........P.......P..............@....reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Memory.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):157960
                                                                                                                                                                                                Entropy (8bit):6.47315446775413
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:Vm98N/j+0sbFbqX63vwZuIBo7M5F896ToYdBCBuqmwLhtTihdUmXD:88Cb6oIBo7q2GBCBuwhzmT
                                                                                                                                                                                                MD5:11C346045E8C17C82C66B33E1E200DD8
                                                                                                                                                                                                SHA1:64E08782D5CA2ACB2AC2C88B2D8F0323F43E3295
                                                                                                                                                                                                SHA-256:344C7A232249C2ACE65D2CC03D62C356FE3F56AD46A0CC4603A36EC7D0F5587F
                                                                                                                                                                                                SHA-512:294F1F8DEF433238DE0E98754BD44BF0614490D8A1086759924F548B91E219E223380601F16B987B27C9D0D67FE80393827A30580CFA096C49F5B2834E73FB88
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q............" .........@...............................................@............`...@......@............... ..................................@....6.......@...)...0..........p...........................................................@...H............text............................... ..`.data....".......0..................@....reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.Json.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):129184
                                                                                                                                                                                                Entropy (8bit):6.196981583264401
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:4YBSzjfI+HAOaaRH8/OhcRRY4beMDSZkXs3pMGudO:ifIcJxRHMOhO+Zkcyz0
                                                                                                                                                                                                MD5:AD794A89E1FB0BFD63D31E0BA44A9690
                                                                                                                                                                                                SHA1:38636C92963BADC5F01B4A3AFCCEA17BE099C4DD
                                                                                                                                                                                                SHA-256:7CE9E667B76C9F647E7124755BF25F56115C5CEB3A68DBDFB0254CE16AECF19E
                                                                                                                                                                                                SHA-512:5D48755E0C03D7554E5924DAFF35C1505987664E5C5BAC4F4CFB3B2DF7AC74AE214DC6B1D7D778FF04579360EAC86111A56467A0B4C86552669B109145972679
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....i............" .....p...P......................................................<.....`...@......@............... .......................................4..<........(......l...0...p...............................................................H............text...Qe.......p.................. ..`.data....8.......@..................@....reloc..l...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1730848
                                                                                                                                                                                                Entropy (8bit):6.692369218509377
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:24576:mycmIjdj8GrJnZLDflJjD2TRSKIP616WF1IMx:amIjdjFrJnZLDfz/aSs
                                                                                                                                                                                                MD5:564C9A5BBE41D6CAACB1FA1993CC8AAC
                                                                                                                                                                                                SHA1:34079090BC4D48F0351673BE7B255C52FA5B6369
                                                                                                                                                                                                SHA-256:B760CCED33549528F6E101C491A0CAC4064F644EF3E829AE127FD3F09A33FBFF
                                                                                                                                                                                                SHA-512:1A5D4F000EAB595E7DCA508C94EEAD23AD83C9856C57B9CB18DAF43D5B795FFE4C093A063B99142D2961AAAD33987BCC7DBEA5EC901DFFFF10C57A90D7A685B6
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...@............." ......... ...............................................@............`...@......@............... ..................................P....J......@.. )... ......Xo..p...........................................................P...H............text...}........................... ..`.data........ ....... ..............@....reloc....... ... ... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.HttpListener.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):551184
                                                                                                                                                                                                Entropy (8bit):6.571055787933049
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:KmIFBDqpp+4F/B7VRZ3KYNB0hZJ6c7fkDNRd2B/eBl3EWZg0gG/qikXOG4drks:veip+4F/BJNuZJZx++WZgoQOzrks
                                                                                                                                                                                                MD5:57905BE512F822BCF59258FBF2448DF8
                                                                                                                                                                                                SHA1:27828B211218F240CE1ED73997BFC7B0A04527D8
                                                                                                                                                                                                SHA-256:CDAD57CC4B992A6BBE2BB79BACD6DD28D248694BF089731BB474BEC682CA77C6
                                                                                                                                                                                                SHA-512:9B2044A712E59FE7F6BDAD8420FD21451E5679D7AECD7B4479341C7AA27ADA290967CB32F898A899BF6E344A88F1FB7285EB214A98792C760BD374EBCBDE02B5
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...%............" .........................................................@.......O....`...@......@............... ......................................T...0*...@...)...0.......,..p...............................................................H............text....s.......................... ..`.data..............................@....reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Mail.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):432416
                                                                                                                                                                                                Entropy (8bit):6.566108898209545
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:K+cqnJGnQkW6a+Sdjoe9k7u0GeFowoR5axLmqRSxnJ8kks1GL0q3+lL4A:l6aFP9f0NokSxOL0AEX
                                                                                                                                                                                                MD5:29A059AB9999BD953C0AEC0B2C78E9A1
                                                                                                                                                                                                SHA1:C41DB5BB3EF1CB499898698E3A87B83925F9BC36
                                                                                                                                                                                                SHA-256:E1743ACD71086BB1AA689AACCC9485AEC04B2A7C2C15586ECDD5685AD881B7A5
                                                                                                                                                                                                SHA-512:5431C58174273A5795D40DF4AA988D6049E0402F04379E84B80A9E02AE819A73BD5FBFF17109EFF0C341171A56BC28807D8B3B55DA03E7304552993DB89EA220
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....|..........." .........................................................p............`...@......@............... ..................................P........)...p.. )...`.......*..p...........................................................P...H............text............................... ..`.data...mr..........................@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NameResolution.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):112800
                                                                                                                                                                                                Entropy (8bit):6.132923222586611
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:NUgJ8nlSAIFIpp8oXAcRKdRObZDFduWF8XwYJiAzk:Nx8nMAc2p8qRgAVDVF8Acjg
                                                                                                                                                                                                MD5:397EB70F9DE2A7676B5DA94FF7CF11BF
                                                                                                                                                                                                SHA1:88424878A779059002622F22315C1E0050FF4251
                                                                                                                                                                                                SHA-256:E2A5AB5B077CBE3B7CDB0622EAE9363E8D9C591DDAB2CE87FCE6777A510767A6
                                                                                                                                                                                                SHA-512:0E4836D6AB91BDACBB49EF71290256A7DCF4CBCA23B9C329C2E05CF00966BF0FABE9748092A579843BC211D4612D94CF8BB655207A3D40C46D11DCC663BFE544
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....64..........." .....@...@...........................................................`...@......@............... ......................................`1...........(..............p...............................................................H............text....7.......@.................. ..`.data...B$...P...0...P..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NetworkInformation.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):157856
                                                                                                                                                                                                Entropy (8bit):6.292306263911845
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:O1TeXCmzdST4L7rGE5RtqbqeQGwpncU/SLVXyVMnA9kmeBgo:WGCwdu4SsRQbIfqZm0H
                                                                                                                                                                                                MD5:3874C63BA167BA4D4B815BAD86016CF4
                                                                                                                                                                                                SHA1:72AB7DE57994DBAD6133FA9DDA1F2943E9F3122E
                                                                                                                                                                                                SHA-256:9F9CF0B569F370DF63BE323844009718090B6D4FD4E21EC8D4DD6B6CC2FFE8CF
                                                                                                                                                                                                SHA-512:17DC16864394CB6F0D52724606EBA24735A86DD62719264635265CED7DB0C36333FF0A3328222B6638DA16DD23FA6159E5F9B5EBA4499F62BABB1524587EEF2B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....v..........." .........@...............................................@.......-....`...@......@............... .......................................9..8....@...(...0......(...p...............................................................H............text............................... ..`.data...T&.......0..................@....reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Ping.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):96432
                                                                                                                                                                                                Entropy (8bit):6.098459980747934
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:Y6cypC971fwwSZy9hswibRSsYwlFb7R/gJR7SSNNJkZphyNVdWvmVzS:YUC971fZgy9hswZsYcN76JR7SAfuphyI
                                                                                                                                                                                                MD5:E039ACA6E9900CEADCFBDBCF094D3A14
                                                                                                                                                                                                SHA1:E38CEE576F881D512D4217629AB09B795FB520E9
                                                                                                                                                                                                SHA-256:FAFDAAF0437E2C10B8343E5B1B2C744977B88CAB7585FD27DCC12071B27F46F5
                                                                                                                                                                                                SHA-512:02D4550D30E3B9FBBE73243BCE8161E9117BBE67610117F11158A2B02DED148BE3A88C99CD6F60BD4DACB704F87E137E488F07CCA48BAD622CEB8F74D418F011
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Uz............" .........0...............................................P......6.....`...@......@............... ..................................P....,.......P...(...@..(.......p...........................................................P...H............text............................... ..`.data...,.... ... ... ..............@....reloc..(....@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Primitives.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):231696
                                                                                                                                                                                                Entropy (8bit):6.473831853357629
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:LaO7AQhsFgOZrgy5HSchuzeQ4X1VjK6uJQ+Y6MFot9R9loV2O1w6D/:77AQhsFgOZrBccgeQxRJNtngV2YTL
                                                                                                                                                                                                MD5:5C34FE0079268AE7F3F22811FE9495FB
                                                                                                                                                                                                SHA1:DE25943AE52E36BC6DD686790A7F56D5AA5C7591
                                                                                                                                                                                                SHA-256:D609294406B894BC0F60D10FB62AD7A819E3BCBA3691A1825E4250364E23A7F1
                                                                                                                                                                                                SHA-512:46A330540F64EAA5A7BC8D097DADFAFB5D054282F44FC2FB57F59494E5A1E6136C98DD8B6D08DFAABCB29B8121112405A86946C27F854151B443E18968F531AD
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....r(..........." .........P...............................................`............`...@......@............... ......................................xU.......`...)...P......x ..p...............................................................H............text............................... ..`.data....7.......@..................@....reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Quic.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):280840
                                                                                                                                                                                                Entropy (8bit):6.504374684121034
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:6T5mQ9WRSfuurvHljMR4WGTSttIqq+xM8cSA7ljZZ2uy:W5/9WRSfuMHljCxMkA7lNZ2uy
                                                                                                                                                                                                MD5:D351D8F0647E32577C3F03481B85A225
                                                                                                                                                                                                SHA1:611C0862E644752153C74E81E6603EC0711F7BF8
                                                                                                                                                                                                SHA-256:32409E5B1F753B13850D2C88CCBA73CB9CC4678D41F11A6B30C020AF3B787054
                                                                                                                                                                                                SHA-512:A4AA5C66899B9E7FAF6B30E84826AF4F2CAC4C8A0EEED0B4292B30642FAC53AD20C42E401D9448195B78AC88A2D2F8F0D5AF28A9484E6B0D85570C15C7EA296F
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...2uJ..........." .........p............................................... ............`...@......@............... ..................................P....b....... ...)..........p!..p...........................................................P...H............text............................... ..`.data....U.......`..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Requests.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):346272
                                                                                                                                                                                                Entropy (8bit):6.521387641131273
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:+f/JWsKEin0hypPmFjQMt5e15XxGGIDvdDp3k+fc3CU1S2Du:6JW7EincF9QEe0THQCU1HDu
                                                                                                                                                                                                MD5:44E2EFFD739146A1EDE87973AE254B2A
                                                                                                                                                                                                SHA1:E342395ED09EF148F5848EDD1D79C3DC201A9738
                                                                                                                                                                                                SHA-256:3FA27A91DAA93BD98F0EC6943DCB08531D799327B3E08E87EBC1BC9FCADF1CB8
                                                                                                                                                                                                SHA-512:13507AD994D29D7DB8DBCF460819DBC2D7343FF9001426167361688DEFD3191051D233D71FCDAC51E0C16AE44CFAC5BB5A2F2A42D8389C32A51A533647977911
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...9..........." ......................................................... ......ik....`...@......@............... ..................................p...h....#... ...(......H...H)..p...........................................................p...H............text...Z........................... ..`.data...=n.......p..................@....reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Security.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):669856
                                                                                                                                                                                                Entropy (8bit):6.738177589721567
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:WauvNG3LGljZ0W5Yk0ZdmNtAj0mhIPLboapg1i6k90QdsAYcNCYq:WagNGbG2vBx093n6MVS7cZq
                                                                                                                                                                                                MD5:621801207C70925E83F806DBD9954A4F
                                                                                                                                                                                                SHA1:AC257BE3308F039A09E0439C4111F7FAFAED12DC
                                                                                                                                                                                                SHA-256:4B1C1C6254C0F73E5CC110F3BB3E342D11EFF16ECA5F0F678E5158E896DC67BC
                                                                                                                                                                                                SHA-512:82C842AB166058DAAA31CCED435D29BC996ECE3E7295C0F934541AB1B1969F2A9221612573BB3CD85412A98AE1780A9A2C5E38F3E34E2385300F5EA56D622F74
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....1..........." ..... ................................................................`...@......@............... ..................................p...`....7.......(..........0+..p...........................................................p...H............text............ .................. ..`.data...h....0.......0..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.ServicePoint.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):47368
                                                                                                                                                                                                Entropy (8bit):5.313584058986443
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:DEOyP3H1ppKzS/Y7Fzq7roiIJPMuFCl20VXC4dC9zVjTQ:D9yP3H1ppKO6FzqYi2i5C4dezFTQ
                                                                                                                                                                                                MD5:D38BBF660F3694B32D26AEB7A4113BCB
                                                                                                                                                                                                SHA1:D1FB7DA85BBF49A937D233BEF2E329CDB9B68241
                                                                                                                                                                                                SHA-256:C85BA2F97897AC62919E6367E4FC05D166B3A4D13E5757E21998883312C52294
                                                                                                                                                                                                SHA-512:0C7B9ACF7D318E705BD2F9785AF3892BF4BACA9247EBBEA96A294DA32C62B9D912BFD2D4E1FB5B2693DBAD8F3084AAA3382C690BBBA82AB7456BD00512CAFC52
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....H............" .....`... ......................................................._....`...@......@............... ...................................................)..........P...p...............................................................H............text...8U.......`.................. ..`.data........p.......p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Sockets.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):547088
                                                                                                                                                                                                Entropy (8bit):6.626088648642838
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:BZmV75OO7txaGNUL2Sdr5Nzv0SAu9FWc1sPHE/0NY05:BZm95FtxaGDSzxAu9IpEsN5
                                                                                                                                                                                                MD5:FFC0A29CFB99461BBD61BAB8A455BED6
                                                                                                                                                                                                SHA1:75577F5B1ADC70877BC39830968B605CC175A8C4
                                                                                                                                                                                                SHA-256:91CD06310E6DA6966A37C073F4FA4FEBB896BD09EE8658F308EB1709B335EB07
                                                                                                                                                                                                SHA-512:3BF93B46BE1626636BFE133E2899218649C17F05AC1294B7940A2BBEDF01161E597D0DDE047A1672B6712444F8C5807BA8157B6A2EF50E4A25F3C46501100E3A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........................................................0............`...@......@............... ..................................p.......|8...0...)... .......4..p...........................................................p...H............text...8........................... ..`.data...az..........................@....reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebClient.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):170144
                                                                                                                                                                                                Entropy (8bit):6.427166919417408
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:Hza6IfDI6Q8nqNIJ55jypCTpAY3ykJ9rialFpR/fTu:T9t6vn8IJySpxFHfi
                                                                                                                                                                                                MD5:53AB5080DEEE5C08F664C6329DB1CF45
                                                                                                                                                                                                SHA1:F800510D0212425220BC0DFBAADC9FBD979DDFB6
                                                                                                                                                                                                SHA-256:EBB450E89DE674B20C93E0108123FF1C1D2F217CF9CDF2E51609A84E76708687
                                                                                                                                                                                                SHA-512:DC321BB7693ECF188C148DF5ABE942F2DD6D2FCA6F681876BC9C066A1356C7E3562846E5E1D91B759AFAC9F1872D9516FCE81270E1AEEA4FFD608899A4EF9772
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........P...............................................p......?.....`...@......@............... ......................................\K.......p...(...`......8...p...............................................................H............text............................... ..`.data....8... ...@... ..............@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):67872
                                                                                                                                                                                                Entropy (8bit):5.7806499699132505
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:tWTDQdpxYexI0Yx82s88krahmqOwA83qJKAFE6WHKV6q6G22N7XK6RH4wqYXYsY/:tWTD2px7DYx82s88krahmqOwA83qJKAk
                                                                                                                                                                                                MD5:48EFC108D7EF7817BCD9BAFAE557436F
                                                                                                                                                                                                SHA1:5A017C66B16266A7C34CEBB7DFF531AB5068DF34
                                                                                                                                                                                                SHA-256:9C4D605934307CFC9ED37ACB1210368C8ACC5C88B816931E7D022F8AE917CDCA
                                                                                                                                                                                                SHA-512:E7FB663FF470121B72A2B6621A362DAE7C8899536FAFEDF70BE69016630604C7C7027BBE9509ECBCEE558631B07535E03F3FA5815518BBFEE6B1417A0B2324E1
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...1.+..........." ......... .......................................................b....`...@......@............... .......................................!.......... )..............p...............................................................H............text...:........................... ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebProxy.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):43184
                                                                                                                                                                                                Entropy (8bit):5.444316993596802
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:C23WkwWvOJtQnkEun+JBTeZDeRbOkKsfJbCLv+CToLfyOQEi066gaiGgX6HRN7jp:C23ROJ+pKEJSO7o6ji3W99zdD
                                                                                                                                                                                                MD5:090FCCE165FED5E5ED5332C11CC31B3B
                                                                                                                                                                                                SHA1:77D98026A8A7F6307655B54E34B4CD15C903DC23
                                                                                                                                                                                                SHA-256:D2EAC1736D03EF60DA6775105B7AC6D8E0C9855CA2437CF108B1DCBEBF05CBF0
                                                                                                                                                                                                SHA-512:E09CC8EFE62E0EBA06596BBCBFEAC0839EA9B31A355F4F24DAB0A85238EE62241029DA79D51805DB29D1232EA769C236DE961D5DA5B17E045098523E3DDAEABD
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....f............" .....P... ............................................................`...@......@............... ..................................p................(...p..........p...........................................................p...H............text... L.......P.................. ..`.data...=....`.......`..............@....reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):100632
                                                                                                                                                                                                Entropy (8bit):6.038277233896664
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:Xl4Xlu9IUefYv9AfOWog+qBWO7bBjLLEORWNzrT:Xl4XlDl89Bg+uV7bBjLLEOR2fT
                                                                                                                                                                                                MD5:4F6F32BEE2BC12E8C6087488D856AF5D
                                                                                                                                                                                                SHA1:AFE5F7581CB31B6934F31C9410AF4D08EE5934A2
                                                                                                                                                                                                SHA-256:8971C704C33BAFE87445FD4B8E5417E2824F8F878052B11BED2AD02F7DE31DA0
                                                                                                                                                                                                SHA-512:EC0416BF1B814CA94A6FAAD2B97A605BA01BBE4D62697088C665908A6EFCABFA9834E4A7C45FD4BD5DA34E59616E49607D11C9F8335946B30DB01E76AB2EA0D3
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........@...............................................`......D.....`...@......@............... .......................................,..<....`...)...P..x.......p...............................................................H............text...[........................... ..`.data...s!... ...0... ..............@....reloc..x....P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):190752
                                                                                                                                                                                                Entropy (8bit):6.3691331105031095
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:tOEp0tsypJKO0BYnjbpL8DqJVyR3IUQeu0IeW+1omEAa9NYLbkbmvh0dksI8mt/R:fpKsnRnYQzIeW+1odmvhSR7mtxrX
                                                                                                                                                                                                MD5:3C9FDD9789791E468453B420FA39CEC5
                                                                                                                                                                                                SHA1:92386B6677D421CD2EFEC73F67D66975A41017E7
                                                                                                                                                                                                SHA-256:7CD51A14E2E1D4231FA85440AFB3047B65AB4F397BFF37C91F50ED20DEF9A800
                                                                                                                                                                                                SHA-512:B74F822E016E468C15B70274797944F8444A38BE9E68F6B83BA42B30A02FCA892E3EEC0E4E177AD267DBE90DF0D8FEB1B999EB2A866489E0B2B659E6282BF1F0
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...[.v..........." .....`...P.......................................................a....`...@......@............... .......................................L.......... )......d.......p...............................................................H............text....Q.......`.................. ..`.data...O7...p...@...p..............@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):17568
                                                                                                                                                                                                Entropy (8bit):6.601523102100865
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:4hubcrkpKZyS3YxAstDhWVVaWvipWjA6Kr4PFHnhWgN7akW98xu3O6YX01k9z3Aj:S3132LFhWVVaWviYA6VFHRN7FR9zKj
                                                                                                                                                                                                MD5:A0260D173E91A0BA02B39CB673986BFA
                                                                                                                                                                                                SHA1:AFCD7A4EF3B64B6112F67C568DE61E2599D5E3F9
                                                                                                                                                                                                SHA-256:2E28BCA4C04A512CE8B481B7FA8FA93A342406A5E554B9D9075F9BA20060701E
                                                                                                                                                                                                SHA-512:62BC5F23C77674916D2B552B397E7C3891B276D5304FC9AB6C48A70F60190EAEBB1A06B10023A820EB9E58069A9C81B1E7D7B73951F69839B0A8BF5E6A5DAC06
                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.dll, Author: Joe Security
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....x..........." ..0..............1... ...@....... ....................................`..................................0..O....@..4................(...`......./..T............................................ ............... ..H............text... .... ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................0......H.......P .. ...................p/......................................BSJB............v4.0.30319......l.......#~..|.......#Strings............#US.........#GUID.......|...#Blob......................3................................6.....x.........................../.......L.................................p...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.Vectors.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16032
                                                                                                                                                                                                Entropy (8bit):6.698265155355934
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:OL9+i8wxVLWIBWvrVpWjA6Kr4PFHnhWgN7awWyHSZCjVi6KrIX01k9z3AszWmCL:29iuxWIBWvhYA6VFHRN7xyZ49R9zrim+
                                                                                                                                                                                                MD5:C79FBAB0FBE63D539F5808D867319DED
                                                                                                                                                                                                SHA1:6AB319EA399E61322A41F059743E3C8C66C4D184
                                                                                                                                                                                                SHA-256:759C6E9C3EEE3344F73EE6FA8016F27816C2615BB079D1DE9CD97EDA35ADAF24
                                                                                                                                                                                                SHA-512:83DC117256500B347751D30AB390B3C4F4C371D8053986B44CEE732FA5E540EF60A8CB78BEE73D1A93984B4EDF65782E86424735F58094C259793A7EF91697F7
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...cL............"!..0.............n*... ........@.. ....................................`..................................*..P....@...................(...`......()..T............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ..X...................P .......................................N;#?D.a...]..v...!.1CnF..).d..n...!..d.j.Y...J..|.8}....G=L....V....[..W.M..A...*V......2aR.E3".....bou.tc.:...{..Y..*.BSJB............v4.0.30319......`...8...#~..........#Strings............#GUID...........#Blob......................3......................................D.........]...........v.................\.r.....r.....`...8.....0.......r.....r.....r.....r.....r...}.r.....r...........6.....

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15520
                                                                                                                                                                                                Entropy (8bit):6.724762605096555
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:bF7xXs50WANWvqGMpWjA6Kr4PFHnhWgN7awWmCjVi6KrIX01k9z3AszWTA1MCu:J1XWANWvRMYA6VFHRN7549R9zriU1MCu
                                                                                                                                                                                                MD5:4CE41C17B5695E5A862531C9CF10049C
                                                                                                                                                                                                SHA1:2647BCC625BA83DC830827B97063A7CAD92F48AC
                                                                                                                                                                                                SHA-256:7EF9E8E2D7E8BCF66C0A1A22D6709D4732B4CCDC61F395A364DA9591FBFDA5A4
                                                                                                                                                                                                SHA-512:9C3725C5C94620C08A5489BA186DCD42BD4262398FB64356ACF93E087E1865EBB72536A4730F97F540DE36F114ABA1E70E1F2490F894DD33B1625F18B5817C7B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p..........." ..0.............Z)... ...@....... ..............................{!....`..................................)..O....@..T................(...`......((..T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B................;)......H.......P ..X....................'......................................BSJB............v4.0.30319......l...8...#~..........#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................'.f.....f...e.S...............K...........{...........`.......................G.....y.......-...........%.....%.....%...).%...1.%...9.%...A.%...I.%...Q.%...Y.%...a.%...i.%...q.%...y.%.......:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ObjectModel.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):80144
                                                                                                                                                                                                Entropy (8bit):5.803230831022685
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:Gdq4De0RKXrgcCGfNiQSstWrHG73Vii33zTT:GY0MrqQN4rHG7FiQ3r
                                                                                                                                                                                                MD5:95C0763C84097068062150DE68644010
                                                                                                                                                                                                SHA1:87480BBCFD5D3D5CCB062470DA0E3EE6043216AD
                                                                                                                                                                                                SHA-256:EC4EA965B4BDC6886EF9EBB234BD568543ED9846CD6FA32E4EB33B5529841A38
                                                                                                                                                                                                SHA-512:56CE8D3E416158D356B54174A6D5968EE3556A593E2AABF884126163EE14C9264F5E624B0528058BD586C4433FE6D54D7CC6F781BEA429FEBE98DEE809030FA2
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...+.$..........." .........0......................................................'a....`...@......@............... ..................................p...\%...........)......T.......p...........................................................p...H............text...o........................... ..`.data............ ..................@....reloc..T...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.CoreLib.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):13170968
                                                                                                                                                                                                Entropy (8bit):6.844875656043683
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:98304:3fWVGoCY0Os5SYWxv4Ac7JnQj6OUN9v4AS0C9C4fKp7kHeAi:6mY015SYWxvdcNQ2OUN9vDCEp7kej
                                                                                                                                                                                                MD5:A2EA4D0A864DC1F7C7A4EA4D3930011A
                                                                                                                                                                                                SHA1:0C0EE0F265387C64D8B9F0BB29E7D9320F394C65
                                                                                                                                                                                                SHA-256:60AB682B551CC4E94E2DE432149E032FD63AC0B6D15397DECC4D8BE87C6BE1AB
                                                                                                                                                                                                SHA-512:90EF986AE72D4713AAEA1E86F185EC709F4726095BED25598073B0AF988D8F941B0CB345F05BC1832936B9D0F2B9DB477D97A9AFD83CBC6552281FD9E5553997
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....BW..........." ...............................................................4.....`...@......@............... .......................................p..d........)... ..8...(...p...............................................................H............text............................. ..`.data............ ..................@....reloc..8.... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.DataContractSerialization.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):2082976
                                                                                                                                                                                                Entropy (8bit):6.703393423935663
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:49152:lEOFavlNDjaq8s+3kOCP8tOEFxOouLsY2DLzv6EI6P7:lE8a2kdUy6P7
                                                                                                                                                                                                MD5:219492E04A852A3AD7A112EDC2559480
                                                                                                                                                                                                SHA1:6AE74ADDD7165FDBDB7E038AC9BD2C2B9522ACF2
                                                                                                                                                                                                SHA-256:29C546097FF7E5AC94202E71311EF2BCBAE2D7DDEA6BF8E951F1FB3BC942DE75
                                                                                                                                                                                                SHA-512:994A2C824539DA7C966A57CBB4B58B4A89F283BF4293C27AE33B9A6B0EE267F8DCDB644B96ED80080D449615A6EA672552EB16250EBCC8AE1220A3DB5F3F2F0C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Zi..........." ................................................................k.....`...@......@............... .................................. ....[...........(...p...'.. v..p........................................................... ...H............text...+........................... ..`.data...X...........................@....reloc...'...p...0...p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Uri.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):260376
                                                                                                                                                                                                Entropy (8bit):6.615511865069277
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:wfAevHZGInBPKCeDc6CK9MG3bMeVmtG0FsGu6Myw0M:XyIDc6MG3wamtG0fuVMM
                                                                                                                                                                                                MD5:22647404E842F5177DEC97B960B98501
                                                                                                                                                                                                SHA1:5E5DECC395401901278F2B4727ED6539CE28A51C
                                                                                                                                                                                                SHA-256:F289BC9873AE0BD99DB74E00F480C931CA94F3785251132C04699AB01893604B
                                                                                                                                                                                                SHA-512:3EF4F8141B680EF0922C24284E7B5D5F7B006C0E718E69D6E2F0446B58B271099FE599398C1814C8698B8460A5A6062BAFAA12D2F7FFED5123A86DCA46BDB340
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....S..........." .........@............................................................`...@......@............... ..................................p...PS..x........)......8.......p...........................................................p...H............text....{.......................... ..`.data....$.......0..................@....reloc..8...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.Linq.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):403616
                                                                                                                                                                                                Entropy (8bit):6.600068240160654
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:QxxBCAdWeda9F5g7yB4cPIm1OwpXQgQbTCtYnzrZjzEOdlIZJ4aU:QDBZHU9F5Rv7/QnCSnz1fQZyaU
                                                                                                                                                                                                MD5:CE7139BB6444A47C86FAF3780F4D561B
                                                                                                                                                                                                SHA1:32538812CF09B179760E17148E95AD84581AD8AC
                                                                                                                                                                                                SHA-256:A113BB3BD9E8C13B1EAF126C3EC614A08C3193A51F52C277B3BD5F4DC00D08FB
                                                                                                                                                                                                SHA-512:F2F1CEA8ED59D7DF0BE03279FDAF2A1764D2E8C00C975BFB60C81BB838FCA0B210AE7BE2A6D1B2ABDAA2A8AB9799D2D5BD568F9A6F59DB95E37C736A9B55D092
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....p................................................................`...@......@............... ...........................................-.......(...........)..p...............................................................H............text...fb.......p.................. ..`.data...Sd.......p..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):7989512
                                                                                                                                                                                                Entropy (8bit):6.799190907572347
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:49152:xgKjbhmQzKo84xxpBR2ZPQ3DtqDTXNaVC8v4aYzqNmKG82o4AgcKVLDSvdEAzsfr:xlRDDnVul2QSvdEhYw2gfW5WUFH5chT
                                                                                                                                                                                                MD5:1B47420D8AD2071CDED2C944E3F6C984
                                                                                                                                                                                                SHA1:157CD6B1DC208BAFCCA11282FB3B6259D9D5DCED
                                                                                                                                                                                                SHA-256:CFB4DBA4AC73773F5EAC02006F0FE7E6399CD67F5A12B4CE26C9F0F406A7EDED
                                                                                                                                                                                                SHA-512:4ECE5BE567CAC3751FFFBA31FE00F73458E205F658A3C55AC42271D00E43CEDA2ACE6C0D59272B527B36A83EC1C340A1FB7EBD9B041FCF841BADB0B6B92FC80A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...X............." ......s...................................................y.....Z.z...`...@......@............... ..................................p............y..)...Py..h.....p...........................................................p...H............text.....s.......s................. ..`.data....Z....s..`....s.............@....reloc...h...Py..p...Py.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.DispatchProxy.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):75936
                                                                                                                                                                                                Entropy (8bit):5.93517438959376
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:4PYWVA8CWZpWNv6zIMuSxRlHJ5ZYoqtTJogirzK:4gX8CWZpWNv6txRl+Nt7E2
                                                                                                                                                                                                MD5:F714AC64710C190EEB50638803184D4C
                                                                                                                                                                                                SHA1:49548E940524ADD22AD2F6CBFADDCB1D819F81E6
                                                                                                                                                                                                SHA-256:7D1417C97CF840F4AEBBD50A7179026BF78A099F6FA4304FFD8262342B965A3C
                                                                                                                                                                                                SHA-512:E142D3A048B2115DA4FA1F4D119643BA8E84A4ABFC867D28E67879EFF3195F44DE08138A3C764A26A1BE80C88C4D471E6D8AA10B48F30EE5677B8E7257A4D31F
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........0.......................................................)....`...@......@............... .......................................$..|........(......P.......p...............................................................H............text.............................. ..`.data............ ..................@....reloc..P...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.ILGeneration.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16136
                                                                                                                                                                                                Entropy (8bit):6.746130186809866
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:VWqx+7wWEUWvFpWjA6Kr4PFHnhWgN7acWHx6RMySX01k9z3AhV5JC4qRH:8wawWEUWvFYA6VFHRN7nMR9zGV5wbRH
                                                                                                                                                                                                MD5:DF0207D04392D91A07047F9309B5DB3D
                                                                                                                                                                                                SHA1:AC61281D2717E1DC8E78BAC27BC84DAAFF4DB1BF
                                                                                                                                                                                                SHA-256:80C531B9CEE91C4B770264ADD3788E7C55E168DAB69A880616E25C288C1AFD1B
                                                                                                                                                                                                SHA-512:BBD5A9BD24630787E99A806DF0CD178F604398043F0CF65D4CC7191C052B427EB2DD50D86F455D02D04373E7C73C319B079DBE47AA9F2F05726C6CD5F2B02BEC
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.o..........."!..0..............*... ........@.. ....................................`.................................;*..P....@...................)...`......0)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p*......H........ ..`...................P ...................................... k.}A...<........H.y.;...J.2O..\.. ./.)J....5H..G...b.G.S......>......N.....QKm7a....B.)dn..".)..u...;O..~....{../c.w..i..aBSJB............v4.0.30319......`.......#~..l...D...#Strings............#GUID...........#Blob......................3................................................"...........;...........f.....!.b.....b.....7.................b...[.b.....b.....b.....b...B.b...O.b...v.............

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.Lightweight.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16032
                                                                                                                                                                                                Entropy (8bit):6.7044983638513145
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:DuEW1VJWvrLYA6VFHRN7MDX+iR9zw8td4:DutYnFClMDuO9z3d4
                                                                                                                                                                                                MD5:CE6B3D7D2E3BF3E35BC49F0905A0947E
                                                                                                                                                                                                SHA1:5F075D3E596CFF0670AEE7E1BB1C6C2FA6AB1089
                                                                                                                                                                                                SHA-256:253E1C6A59ACB96DB9EA8E4BE48EA4E8040F885D602349B2B44753234709D49D
                                                                                                                                                                                                SHA-512:D53C00B4C26540D36464501A64A0AB3E7FE175256F47F44BBA53D25ECAB6255C51570EA4A7FBD6E2FAC171967A9CB876E2C7FD5A961554EB5C49222620E31BD1
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0..............*... ........@.. ..............................+.....`..................................)..V....@...................(...`.......(..T............................................ ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ......................P ......................................Wsa.....ky`w...q.FB....O.Z.......\........j.....K.N...]M.~.'.@?O.=d.r].N\.~.BE...p.9..e4....D.&..S..7.j........H:...+nT_...`BSJB............v4.0.30319......`.......#~..4.......#Strings....<.......#GUID...L.......#Blob......................3................................................0...........I.k.........t...../.E.....E.....>.....~.....~.....E...i.E.....E.....E.....E...P.E...].E.................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):129184
                                                                                                                                                                                                Entropy (8bit):6.114698747717757
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:6Z54JKiEAYbKatyLJSsVkrc00EBR7yxcuk:B/fSessuaRxhk
                                                                                                                                                                                                MD5:2E6C7A183AD043850BFA731550D43F51
                                                                                                                                                                                                SHA1:3F6818E1FD9564D38223367DBE03D257FA394D83
                                                                                                                                                                                                SHA-256:88DFA993884C1277A3ADCBC55EF44B4A38C55EC4F0F8C7768862377BEAE76DBC
                                                                                                                                                                                                SHA-512:C8D3013E7C9171ADE3C49782394CDCE172DEC85EAC96A84CFAE7C1936666EB4093D7A518CF955D30B3E1189C0C72319A6E58D85731F83020E59DDFEA5D44F743
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........0............................................................`...@......@............... .......................................+..l........(..........(...p...............................................................H............text............................... ..`.data...Y........ ..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Extensions.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15648
                                                                                                                                                                                                Entropy (8bit):6.804728776210739
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:Gv8XzaxAQy8W1WWvoiWxNzx95jmHnhWgN7agW8jNOghHssDX01k9z3AeKDJA:GEDAxW1WWvoxX6HRN7BjNOgFDR9zzKlA
                                                                                                                                                                                                MD5:00346A61DDEAFB150D595887D6ACA36F
                                                                                                                                                                                                SHA1:735B7CD1B62787861BAF51EC0D02C66C294962F0
                                                                                                                                                                                                SHA-256:AFACE1464DF1D31BD96CC897F4D47C6B5A855707CBBFC954E624E68F3AC16372
                                                                                                                                                                                                SHA-512:60395D751677C3728C3CD7763A36B1950E329D8407649C97CA7B049D8FCF8117943D1618B06087F376D6FAFE4EAE1ABE64BF0CE2D5FEC39C68FDED69687FC02A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k............" ..0.............z)... ...@....... ..............................9?....`.................................%)..O....@.................. )...`......,(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................Y)......H.......P ..\....................'......................................BSJB............v4.0.30319......l.......#~..(.......#Strings............#US.........#GUID...........#Blob......................3......................................................x.....3.....4.....^.................I....._.................w.................G...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Metadata.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1116320
                                                                                                                                                                                                Entropy (8bit):6.6439477896792
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:43e0ziO6AJ8+utVRA8WDlLeO9om5EoU/mSdWKURfeGWTbrWnoDzgVdkn:43e0BlJ8TRocOWmc/DamGWTbwIn
                                                                                                                                                                                                MD5:496F077B5C7B487EBF3E6222A53783EB
                                                                                                                                                                                                SHA1:EEADF861F1EC14A8FAC957ADC2191B252E609FCE
                                                                                                                                                                                                SHA-256:F8DC3E1AFC09A8C21B5C4C7AFB17C520AFE0263CCE8366CF57471D1D203728ED
                                                                                                                                                                                                SHA-512:DDD0BA22E2BC0F76DA573EA6CD4AEC89A0F3CC1D32223938C963850F2348D1C8086C508E06F4076F3820A1A2B35A47D0497C4CA5E211CAF5BAC18BBA4F53185B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....3............" .................................................................Y....`...@......@............... ......................................@...........(...........W..p...............................................................H............text............................... ..`.data...A...........................@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Primitives.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16032
                                                                                                                                                                                                Entropy (8bit):6.754858406085234
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:FsiCLx+eWl+WvXpWjA6Kr4PFHnhWgN7agWfiC7L4xxu3O6YX01k9z3AnUGj:fWPWl+WvXYA6VFHRN7AnY1R9zK5
                                                                                                                                                                                                MD5:5A0D5E375A4568CEA219B700365A3C5D
                                                                                                                                                                                                SHA1:2EF3BDF476C9EDA2992A2FFC13FBE467D6630803
                                                                                                                                                                                                SHA-256:B14DA399FCF67C895F70F3B609937E28E7CB1CB7FE46EEC51181F1CB5F8C6D6A
                                                                                                                                                                                                SHA-512:2DDB829370CAAFD3298CFDEC06A067CF6EEAADB3A88CA7F7EBEE61ACB2747744B78DF4BDC43304427D135CD73CBF907D000DF6DEE42F18C05B8C9EF537DD2BC8
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"!..0..............+... ........@.. ..............................<.....`.................................5+..V....@...................(...`......8*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p+......H........ ..h...................P ......................................F..b3...X[N....0..Rl.e,.3...L|..V......$...R.Gg.....B@..>0.[_..x8.i...L...W..Qq:..H..-M..p...@..a....j.....x....9.!g....KBSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................3.........@...........Y.................?.g.....g.....`.................g...y.g.....g.....g.....g...`.g...m.g.................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.TypeExtensions.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):43168
                                                                                                                                                                                                Entropy (8bit):5.182597235608364
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:iWJeWvhx1Yc6PuTNtyVC0a+SKODVt9jR3YA6VFHRN7dBWkBmo8R9zYU:NvbGc6WTUK+jOZVFClGCmoQ9zp
                                                                                                                                                                                                MD5:1679D883CB813D80B1257AF4ADC0AD77
                                                                                                                                                                                                SHA1:F8573165E89592339B18FE392C0FC004405BBD74
                                                                                                                                                                                                SHA-256:9784CA5F49D11E8A112D39FF3EB1105502A20FD2331EA1523CD2F491A5E8208B
                                                                                                                                                                                                SHA-512:8D80120B954C338AF0BC3C17EE113028921EBC66A4A2F061BAA32CD6F21D163F125600CF3209948D1890952F4E5EB2A480C888F18563DD2FD4C149AF80E34E48
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....C..........." .....P... .......................................................!....`...@......@............... ...................................................(...p..........p...............................................................H............text....G.......P.................. ..`.data........`.......`..............@....reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16672
                                                                                                                                                                                                Entropy (8bit):6.688841643360067
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:MuCkGQKyxAyCWCCWv3g0yWxNzx95jmHnhWgN7agWF7qT8RwX01k9z3AhStpK6/Ta:M2F4WCCWv3pBX6HRN7u2T9R9zUspFO
                                                                                                                                                                                                MD5:63BAE6DF058D6F3D630713CA52343D29
                                                                                                                                                                                                SHA1:96A8411BA0786BE08E54B62CA8EAE6998CE57644
                                                                                                                                                                                                SHA-256:1B6B873F4C5F5985E7C3E6BA5693D1C676FE0773C9335003F97807712EDEDCE7
                                                                                                                                                                                                SHA-512:EC8892A9A1451C76D6CCA4835BBF242EAE417EC4120C69EBD47D484763583C1AC5D0BF73D28871B31F133C061BD9EB88E4695BC2E6E59C509C809E5478652205
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.K..........." ..0..............,... ...@....... ..............................0.....`..................................,..O....@..d............... )...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................,......H.......P ......................4+......................................BSJB............v4.0.30319......l...l...#~......|...#Strings....T.......#US.X.......#GUID...h...|...#Blob......................3................................"...............M.............................q.6.../.6...........6.....6.....6.....6.....6...m.6.....6.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Reader.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15536
                                                                                                                                                                                                Entropy (8bit):6.762522427444249
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:3hDixAXGWI3WvxNWxNzx95jmHnhWgN7awWJpccpBm+0U8X01k9z3AH50:eZWI3WvQX6HRN7CpcsBmo8R9zY2
                                                                                                                                                                                                MD5:6467861CB0D9DEA2AEC7DE8BE11739B5
                                                                                                                                                                                                SHA1:72EC68876D3115A13BAB42C9039613012AF2F82B
                                                                                                                                                                                                SHA-256:EF8A510D31E84CDB66278C00B62CCC92658C128026422A227A6774A2E8A727CC
                                                                                                                                                                                                SHA-512:FB2D0B89B8268BC3A29213B101FD6577612B2104FB1F16147F3C0551F28403E7BB91CE04328A0F65EB3164A3D186F1C3088BE051334FDA4346F745CBC18C95E9
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............)... ...@....... ..............................p%....`..................................(..O....@...................(...`.......'..T............................................ ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~......h...#Strings....t.......#US.x.......#GUID...........#Blob......................3..................................................%...x.%...3.....V.....^.................I....._.................w.................G...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.ResourceManager.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16136
                                                                                                                                                                                                Entropy (8bit):6.714372309412333
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:GeawQgWZzWvPYA6VFHRN7sUCMR9zGV5wfK:Ge/QHyPFClsUF9zm
                                                                                                                                                                                                MD5:A0BEA80A62152978E32251FA63A0ACB8
                                                                                                                                                                                                SHA1:3F4F646C98CB8628314924B463BAAD197D039BBF
                                                                                                                                                                                                SHA-256:9A3E5D6D51AE86A91D2EC90B2A2BE5DC2210F032C140C349F04256DE6ED441D5
                                                                                                                                                                                                SHA-512:4E8B600E1D59CEEE3411AF54758556B9792519C396EC9DF997DD58AF66B5505A4A86BB8F165391AC75F1CF0F092038B059C1C1D074E291B8C320D14A9695960E
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............n*... ...@....... ...............................W....`..................................*..O....@...................)...`.......)..T............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................M*......H.......P ..H....................(......................................BSJB............v4.0.30319......l.......#~..|...,...#Strings............#US.........#GUID...........#Blob......................3................................................9...........U...................A.....A...........A...r.A.....A.....A.....A...Y.A...i.A.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Writer.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):51376
                                                                                                                                                                                                Entropy (8bit):5.749601750476796
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:5UG932Xb+i171RsnV73v2/PL04IWWkmoQ9zItF:5PGr+871q7/2b0QWkmVzmF
                                                                                                                                                                                                MD5:E87C3E51080C7BB65E611B485A599ABD
                                                                                                                                                                                                SHA1:B9B02227ED6C0E3DA2D19FC6DE018E559D532E70
                                                                                                                                                                                                SHA-256:8974918F0BA83548BAFA900918F93B35770A64D8DBC7A104188CD6FFC8D0F157
                                                                                                                                                                                                SHA-512:3CF5541C5080A5774477A5077CB88006F7548F94E74D08D0FF33505B89C10B26E87162CCCB19CBE9C290371E3C83FD5AEE8A79637C251AD11EB6E6AACE1C57F2
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....>............" .....p... ............................................................`...@......@............... ...................................................(..............p...............................................................H............text....j.......p.................. ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15632
                                                                                                                                                                                                Entropy (8bit):6.801183385142263
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:GzxAe+rIH5WL2WvAApWjA6Kr4PFHnhWgN7agWyZLrp0KBQfX01k9z3AlC+V/C:AAgWL2WvtYA6VFHRN73ZRxB+R9z0W
                                                                                                                                                                                                MD5:C1CBD3AEC800C18949C8E91853BBE2B3
                                                                                                                                                                                                SHA1:1002548B57C17FACAAB39960B0E6764D063A9E8D
                                                                                                                                                                                                SHA-256:BC700629D14BC36FE3FB97F28B9E0ECA8C59312F85E3844749E738B374CFEE7F
                                                                                                                                                                                                SHA-512:54B6407EA7772F2834ABAF1791FAAF6B7D56141B097D7D03346054D89844287062EA9FA6045654A7954562F00994CCFE94942DF2E36CB90C5B6AD8377816D764
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............F)... ...@....... ....................................`..................................(..O....@...................)...`.......'..T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................%)......H.......P ......................d'......................................BSJB............v4.0.30319......l.......#~......d...#Strings....p.......#US.t.......#GUID...........#Blob......................3..................................................4.....4...Z.!...T...........@...........p...........U.......................<.....n...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):30880
                                                                                                                                                                                                Entropy (8bit):4.644629646041882
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:bWoLWvBn5oNBVVp+YA6VFHRN7KBmo8R9zYJF:faBiBVmFClomoQ9zK
                                                                                                                                                                                                MD5:460684B262DE49F8A3C771B47C993EA3
                                                                                                                                                                                                SHA1:15B760439D2C0A0B39EEC012EDA53D67078D0FA8
                                                                                                                                                                                                SHA-256:2D796A9138318AC5BCFE96970F3C5920F8307856C1BEE5F9D5BEAEF0369AE319
                                                                                                                                                                                                SHA-512:41CF1EA52BBF2ADEB8A066533FE9647B67E9FEEDBF45DC4E517D61EB31A35B8944062DE7B59476AE8E533E99CDC5E06270957652A1467F94157264F53258ECBD
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...e............." ..... ... ...............................................P............`...@......@............... ...............................................P...(...@..........p...............................................................H............text...~........ .................. ..`.data........0.......0..............@....reloc.......@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Extensions.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):18192
                                                                                                                                                                                                Entropy (8bit):6.55554414057899
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:AYSj5rt9x+uicWKNWv9YA6VFHRN7s2IR9zXRv:ATj1t71c9FClPU9zl
                                                                                                                                                                                                MD5:76436C13BBA8732978A08454FD284D23
                                                                                                                                                                                                SHA1:359A7A36E8DF9517450BFF786C07C68ABC004C9A
                                                                                                                                                                                                SHA-256:AD4C4C92BAD3D1BE04793A39377129A42C45C227FE404113FB9F9BEBDA3C4B06
                                                                                                                                                                                                SHA-512:23DCEF122EE3DA9E0D3A40BCBAE1673DC5EF84103207D56FE5B3823E8D20D5B15124BC83DE0E6DD60AC06BDE8F0EE6527E7D70A654956DB68F4AF97FC4102A6E
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4............" ..0.............22... ...@....... ..............................kK....`..................................1..O....@...................)...`.......0..T............................................ ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......P ......................l0......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................I.....3...................................................i.v.........N...........%.....B.....5.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Handles.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15632
                                                                                                                                                                                                Entropy (8bit):6.8214166952315685
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:kKfpo0MNnIWbmWv+YA6VFHRN7DRxB+R9z0d:DBo0MLH+FClDRxw9zC
                                                                                                                                                                                                MD5:3AB302DE13AB2C008D41B4BC381F5C45
                                                                                                                                                                                                SHA1:DA82EF01893EC54D6AB9371EA93B398270923323
                                                                                                                                                                                                SHA-256:0D269D39F04173829F9686CFFBD8AF33030D2D6BBE42BF090FD35FB86DA6FCF3
                                                                                                                                                                                                SHA-512:E313ACA9F9805B7CF98BB855E843D88F5E0585B86F132B788D58A593A0017C18521ACBC1F842421B50D2FCB56B62ECFD3CF0C87BD7DA7129D56BD2CBB5150488
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u.i..........." ..0..............)... ...@....... ..............................k.....`..................................)..O....@...................)...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..D.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3................................................(.`.....`...f.................L...........|...........a.......................H.....z...................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(...y.(.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.JavaScript.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):51464
                                                                                                                                                                                                Entropy (8bit):4.966231479839345
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:qOwMiFMwIImR3GwWxUezVsPkDb6i5DC4dezFTa:qpdm5GwYxEkDb6KFIta
                                                                                                                                                                                                MD5:3CF7102500300B05DA0684577ED54202
                                                                                                                                                                                                SHA1:7DBD4086C08A45C405AD38338E1D0B4306671B09
                                                                                                                                                                                                SHA-256:64889EC4D820F87797894D0DBCE86240830F8DEC085A3C1DC6E21250F512E34E
                                                                                                                                                                                                SHA-512:C7AE087E7E30DD14315DC4AA4C70E4A7C94F272C41BB49D3041F18474240D895371DF0ED2373AE92FB561004324565D52237C21607F7C0BA3DAD33CD61DA7DD2
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...0.'..........." .....p... .......................................................#....`...@......@............... .................................. ................)..............p........................................................... ...H............text...Zg.......p.................. ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15520
                                                                                                                                                                                                Entropy (8bit):6.831239516010608
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:q7e1eTxASTWyUWvqPpWjA6Kr4PFHnhWgN7awWr4I8HNsAX01k9z3Aa30ah1A:qCUNVWyUWvcYA6VFHRN7LtHNsAR9zF0x
                                                                                                                                                                                                MD5:FA3EC6DB4842FE658F04CF3789CD7209
                                                                                                                                                                                                SHA1:8E471D546C18604F20AC6F4EB4C242B887CA0689
                                                                                                                                                                                                SHA-256:B7EF3589E7F793D9780FA32EFB2595C91A85D92E6E0FF62B5187142114F1707C
                                                                                                                                                                                                SHA-512:337ABA8011D756C69BBA57C2517487FCDFFB0A5D22362669047776D28D789EABA286E867E15196736F83346466B63AF0DA412E283E6BC3884F5C7819085F97CA
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....h..........." ..0..............)... ...@....... ..............................U.....`.................................{)..O....@..d................(...`......X(..T............................................ ............... ..H............text........ ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..(.......#Strings............#US.........#GUID...........#Blob......................3............................................................@.O.........k.....&.7.....7...V.....l.7...;.7.....7.....7.....7...".7...T.7.................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I...y.I.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):96528
                                                                                                                                                                                                Entropy (8bit):6.024769249295685
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:BOryyBJoyJyGXe5CtLey6+67NVpnSPM+l5+tkmVgKmH6iRnzDDn:BPyJO5CtiXdSPM+r6kmud6KnTn
                                                                                                                                                                                                MD5:1BA98C8A3C7D903ABFF78D01E081D64C
                                                                                                                                                                                                SHA1:15EF718B9F1EEC435C7AEE8A59B41562D88934A4
                                                                                                                                                                                                SHA-256:69DE6AB16DFBA66224B37E4FCD5E62AFDF45F75C9F5C78BFD6CBFA09142390C8
                                                                                                                                                                                                SHA-512:FB194521D9964012CBCA456505A9858B49F36009A6E9DCE9F9EC6126693990750285F57DB2831048606336EB9F28193D6073B3E6CACEF337D7323A3967FF3846
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...;.=..........." .........0...............................................P............`...@......@............... .......................................(..\....P...)...@......X...p...............................................................H............text............................... ..`.data........ ... ... ..............@....reloc.......@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Intrinsics.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):17056
                                                                                                                                                                                                Entropy (8bit):6.59164397370935
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:DnA37W6LWv2qYA6VFHRN74G/6fR9znQJ0:Dnka2qFCl4t9z9
                                                                                                                                                                                                MD5:5B8D61FE9D1525A7F1479001B5ADFA91
                                                                                                                                                                                                SHA1:92A41489B496F19730C99AC70A3F4B85AA9A4024
                                                                                                                                                                                                SHA-256:7AF94B0D91DE391BE95AB3DC816EAD7072CB2354199773FBB05C2D3AC1C3F871
                                                                                                                                                                                                SHA-512:B9D843B6501E304D971CCC8C3B579E4430E4D7C05A2122EE28DDEBB017C5A0EC1A348BEE7D1C6E1DB11EEC01FCE6F11909284ECABE079ADA742800D94F34F235
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0.............~/... ........@.. ....................................`.................................#/..X....@...................(...`......,...T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`/......H........ ..\...................P ........................................J......#.}1..T\>..M.].WQN...I...)0.!.Zc..........9....;{*.z...K=J...6.c.Dr.!...q..^E.e<B.....tM.!.^.\....+....^c.p...J.`.BSJB............v4.0.30319......`.......#~..P...d...#Strings............#GUID...........#Blob......................3................................M.....I.........B.$.....$...[.....D...........A.............k........."...........{.......................b.....o.......$...........

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Loader.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16144
                                                                                                                                                                                                Entropy (8bit):6.745282705194393
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:qjMTlhAxYPWuGWvlpWjA6Kr4PFHnhWgN7agWFdYPKDUX01k9z3AWipYNX:qjMTlMyWuGWvlYA6VFHRN79pR9zvHV
                                                                                                                                                                                                MD5:9CCB06FECC5F840F88BBE8E7C9797CAC
                                                                                                                                                                                                SHA1:75D00AF394B6E8406C5DFA3E7F96A68363368FC7
                                                                                                                                                                                                SHA-256:C160277C510E5A535B2369A7B12135E2E790EDD1F34EC2B1E2FC80ED8DE475C8
                                                                                                                                                                                                SHA-512:064B5AE4FAA13A3C68627F1CFC88E9B883179CF64FF14110DEE4AEE49F278DD66402BDA29B78ECBB9F3368A5A52A35C647C79D8EF7903B15BFE9725B5C5FB883
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............*... ........@.. ....................................`..................................*..X....@...................)...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ......................P ........................................-*f;..??..`.~5c+)q5.b.[.....?q0........G.&...r<p....N.b.I[e..u,......fu....e.d....&G. ..?_t.[/...e..!..4.,6../.]|.G..K.%.H..BSJB............v4.0.30319......`...(...#~..........#Strings....0.......#GUID...@.......#Blob......................3..................................................P...X.P...p.....p.......v...V.....z.....).......1.....1...?...........>...............................P...........

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Numerics.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):329888
                                                                                                                                                                                                Entropy (8bit):6.652393975318632
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:x17UgKhUflT6tEFs8Sx/mPueNpQV587It9diIKc1yCC:x17SeflT6tK8UQV58kt9diUsD
                                                                                                                                                                                                MD5:721811312D3F000E40A403983E60F6B7
                                                                                                                                                                                                SHA1:DC9E6186A10ADF2419F8DAAC6DBBB11472A3BBB5
                                                                                                                                                                                                SHA-256:39562DC738F28E2994CEE74207BEE53C833231EC68B2885E403DC3D9C43B6821
                                                                                                                                                                                                SHA-512:E25E51E6ECAB823691F2E5296EBD257D15521639FBB2994B625433921445F8BE14A4FBB6D4A19A0925B0D7FC07031EE16B48B7DC4396B4A4916626D673B4EFC3
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....X..........." .........@............................................................`...@......@............... ......................................`n.. ........(......p...P ..p...............................................................H............text.............................. ..`.data...-#.......0..................@....reloc..p...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):309536
                                                                                                                                                                                                Entropy (8bit):6.56574804790244
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:nzv7WOXu33WPEei5EZNqHRk5XDiio9gZbzZYNAgk74dzzKX22zRrRBKZ+FhJDwwz:J2WR1BpLDRcnFIB2ahm97z/+
                                                                                                                                                                                                MD5:B0A85005B5AAC68913092BEBEE39F34B
                                                                                                                                                                                                SHA1:4E747E19165BB28054F5895A36ACA213E3B6A115
                                                                                                                                                                                                SHA-256:984ED1D9AC926AB13FBBD8712CDF3CA5A7701E57C1A22B684541E46ECFBA9979
                                                                                                                                                                                                SHA-512:86991DC81D38E14F19B7F1C1155F7DDFBA2FC2ABB5E5843C238984C876D5BF01E6F6613F022372226B589056E1ACDA0B7227937939DABAF33311CCCCF583FB0C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...v.b..........." ..... ...`............................................................`...@......@............... .......................................i..`....... )...........#..p...............................................................H............text............ .................. ..`.data...'N...0...P...0..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16152
                                                                                                                                                                                                Entropy (8bit):6.7495299582867805
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:UVhg/xiIqHVWbodB5WvgWcWxNzx95jmHnhWgN7acWnqAgfcMbnoQNpX01k9z3AZl:UV0fYVWbodB5WvtjX6HRN7Eq/7R9z5iR
                                                                                                                                                                                                MD5:083C2972E3414380BD45BC621EB5295D
                                                                                                                                                                                                SHA1:1F3ECEF2865EC4C45E513A9846258DC6A280B3E8
                                                                                                                                                                                                SHA-256:17AD1F1709F3A153FA0DBD43D4DD46D2477D090949AE86E7E88953D8C19A83F0
                                                                                                                                                                                                SHA-512:7F3E0AFC520CB9C6C7D8DEDF3E97B4AEDB8D44EFC2BDD1CBAF27CA02A0DB5E09BDC6FCF6894E22A548575BF523AE1A6895838BB816A5DE1323EBAC87C0A3DDAB
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....0..........."!..0..............*... ........@.. ....................................`.................................S*..X....@...................)...`......L)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..|...................P ......................................j.u..j..y..p...C....+........4.n...Y..\0$c.....?^BV6...LR.mF^..8...P.....c..}.:Ac..W.5_.c6r.}.db...8>...?{....eq$>..-...<..pBSJB............v4.0.30319......`.......#~..x...d...#Strings............#GUID...........#Blob......................3............................................................3...........^.......O.....O...a.....w.O.....O.....O...w.O.....O.....O...G.O...I.........................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):39200
                                                                                                                                                                                                Entropy (8bit):5.1532257055006365
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:gHWF8JBrWvXsWHkhzHE0ue4q+k+ars69R9pnUkO2akIGt6HHDZax1IJhXcKX6HRy:gq8JB6cBXDsw9pns77EiWE6D9zIl
                                                                                                                                                                                                MD5:5E78166E97851B13B4087A54EF712D8C
                                                                                                                                                                                                SHA1:5228E45D993D397B7355191C2A50F03334851A00
                                                                                                                                                                                                SHA-256:E91D3502B52775C240CC81B9D3BF36E503CE9C2640B45D1614BB667AA5C1849B
                                                                                                                                                                                                SHA-512:67D6194F6975110C67C3966F0AE994AF433780239E9270C47903A1AF0851D44443885A6573271767CA85B1DD795B7D441A8A4CCE15966985E5A352280D7F4006
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....f..........." .....@... ...............................................p......s.....`...@......@............... ...............................................p.. )...`..,.......p...............................................................H............text....=.......@.................. ..`.data........P.......P..............@....reloc..,....`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):17184
                                                                                                                                                                                                Entropy (8bit):6.676772135546476
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:ckrZI8N3bMWsUBBgWvBgEX6HRN7x9R9zUsp/:ckrZI8N3biUBBBBgMW59zzp/
                                                                                                                                                                                                MD5:FB2252EE905F33760D6D40FF4E5A37A7
                                                                                                                                                                                                SHA1:C93E55DF5AFC58809BF4099EF62F739F089525EE
                                                                                                                                                                                                SHA-256:3F91EEC7FDF494D6C223B093024ACA3B6F16444F89D1D7A26B2F4F289BC8F830
                                                                                                                                                                                                SHA-512:38200EE479F480C34A94822C563A6862A124493F14F786FFD63249215F5047389DCC3E95CB6ED1CB729DDF89BDC23F0A25845677F19C47212403B8D1995CA20A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M............"!..0.................. ........@.. ...................................`.................................M...N....@.................. )...`......H-..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H........ ..x...................P .......................................C.J.O.S.lE{..k.@.[..:1..%qiF6.6.L....w...g..d'..p.-..8.s.&..-{...w5e._k...!v....'p.T.7_o.T@..)*.I/...))...<....F....BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3................................"...........................W.a...............=.............Q.........R.......................9.....k.....m...................A.....

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):17160
                                                                                                                                                                                                Entropy (8bit):6.688880877671809
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:p6Xu2tNCj8NMbLWgV4BHWvPYA6VFHRN7wVKau2R9zGN0u:MXNtNCj8NmPV4BGPFClwAauK9zI0u
                                                                                                                                                                                                MD5:C173858DDAECFEB532221BC0714655E9
                                                                                                                                                                                                SHA1:E6C6812A3562369FD0DEAC4A58573D278FE61E65
                                                                                                                                                                                                SHA-256:3FF4F2C5A52617AC51B1B030FA1C77D5BCE4CB39C173BB78EFBBBC2A7C84BF66
                                                                                                                                                                                                SHA-512:A0825419C6C6C118D37D11276E079EF64D94321E97AD880CAECB8AF41129E19CDF769AC3A762637E108443AEF7CBD171C4ECEA0369C515752911B5AA36F9B6A5
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.D..........." ..0............../... ...@....... ...............................j....`.................................u/..O....@...................)...`......|...T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l...d...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................~...<.~.....S...........Z...a.;...{.;.........#.;.....;...0.;.....;.....;.....;.....;.................3.....3.....3...).3...1.3...9.3...A.3...I.3...Q.3...Y.3...a.3...i.3...q.3...y.3.......:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):43680
                                                                                                                                                                                                Entropy (8bit):5.842163683540018
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:C+1fsSED2vCeDQvRzXB3gWql6375IVxedktN7xPBhwsR/JG39QRoNvsh2JcfoDLf:2B/LuYdy50b4b7RSHnbOiKmVzvP
                                                                                                                                                                                                MD5:EA2E0866F900117135C1771D85281303
                                                                                                                                                                                                SHA1:EC58A506017621DB3233D1513D28727EA2FA7C7A
                                                                                                                                                                                                SHA-256:819E11FE3C456DFD56377233B2BAE5BC11FEF41FA3A8816ED30FAFFF74A2090F
                                                                                                                                                                                                SHA-512:4FAE0463DD343E74D73401E9724E17F044699CCCCEE3873467A0171360FA1F0AF080178A71AD7DDC7878218C9069ECCD9B7B85557E699FAC0CDAAA28BAE0C40A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3............."!..0..x.............. ........@.. ..............................{.....`.....................................Z.......T................(..............T............................................ ............... ..H............text....w... ...x.................. ..`.rsrc...T............z..............@..@.reloc..............................@..B.......................H........ ...u..................P .......................................n.-9..0...l..3./?Z<WL*.c7..+h.(.......m.!e....}..u.:. I.G..#>.DMl.g.t^.!.OF.X.(..&.$......3.p......'q%W..k9...=...|.s.IBSJB............v4.0.30319......`....2..#~...2..T@..#Strings....<s......#GUID...Ls......#Blob......................3................................{......#...........6..`..6....m6..(7....4.. .....%.....%....m#.....6...!.6..&..%.....%.....%..s..%.....%.....%.....%.....6..........

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.AccessControl.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):231688
                                                                                                                                                                                                Entropy (8bit):6.4927538353537635
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:QTJLDgw9ow9j0rKu8bmb3KD/L8V8/6Xe9QF+wVkjox7rtefYGA/+PXuXUGL:mgw9ow9A4bmrA/mt7jWfuka
                                                                                                                                                                                                MD5:01187D21FC09DD04F699064387D5E27C
                                                                                                                                                                                                SHA1:F6B7086AAABAB39E2AB7A2FC5B130BC2150FC1C5
                                                                                                                                                                                                SHA-256:BC1F295790C53358899C6721E0CED2F33F695C2421B2BB97FAB18F9DFFDD0198
                                                                                                                                                                                                SHA-512:185FFE28CDFF7738DA5E278616B374DF79D0B1486B3D4B218266E1C408003DB509AEACF9D5C10D3F84EADED3BB9BD2A1A55F1156F9CB1C320384D62B05009410
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...4............." .........@...............................................`...........`...@......@............... .......................................U..t....`...)...P..H...P ..p...............................................................H............text...S........................... ..`.data....$... ...0... ..............@....reloc..H....P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Claims.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):100616
                                                                                                                                                                                                Entropy (8bit):5.964892851536555
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:yQAG0KzKsXnTOShX+bX5SHuDQp6O/U/xOQwQ7rzUU3q2bP6NLrSjlV4i7Ep4za/e:ywRXSSV+bJSHu6cgXSJV4QXUe
                                                                                                                                                                                                MD5:82BB53A6347A98BC441E26C6EFBB6EE7
                                                                                                                                                                                                SHA1:94FFF378394772F8F6B37A66A3C7DAE43F3848E3
                                                                                                                                                                                                SHA-256:D407C1380C52E1A04E554C0B134D9BC4699C7225290003ACE8E988E4AEEDBB25
                                                                                                                                                                                                SHA-512:4BC1BFEF668F6843F85FBCC28B886E66BB886D30903C8DC8CBE3CCA8417AFB6130856C73FFF0686E3022ACEF8D26994DB4CF296ECF788EBA9D59B8E21EA74E58
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....0... ...............................................`......K.....`...@......@............... ......................................p+.......`...)...P..8...@...p...............................................................H............text...|#.......0.................. ..`.data...{....@.......@..............@....reloc..8....P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):17568
                                                                                                                                                                                                Entropy (8bit):6.594046728282668
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:j63EqCxAvK2WIBWv59pWjA6Kr4PFHnhWgN7awWneCjVi6KrIX01k9z3AszWInEn6:20qIOWIBWv3YA6VFHRN7R49R9zriJ6
                                                                                                                                                                                                MD5:3D57375A1B2FB9E988E522F05125C445
                                                                                                                                                                                                SHA1:B11D29EED40A5F27A20186C8A31F97098B54CB37
                                                                                                                                                                                                SHA-256:3BB8895B734D1967615845BD34FE9A3BB7AEC23546D1E55C16678697B92E466D
                                                                                                                                                                                                SHA-512:C31248443035E571CCBD87996DDA2F2898EBB5665EAF99B8799A046D7C6F6D4FBB1B2DE1F5B87BE56D8A6B4181EDFBDCA8D0C873AE0856F1EB0E801349DC07F1
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H-..........." ..0.............R0... ...@....... ...............................P....`................................../..O....@...................(...`..........T............................................ ............... ..H............text...X.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................30......H.......P .. ...................p.......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....|.......#US.........#GUID...........#Blob......................3................................>...........................?.....6.....j.....%.d.....d...U.M...k.d...:.d.....d.....d.....d...!.d...S.d.....H...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Cng.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16656
                                                                                                                                                                                                Entropy (8bit):6.715593579536355
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:OvV8AxNaHvxAPADWZfWvT4pWjA6Kr4PFHnhWgN7agWkzKDUX01k9z3AWipd6T4:+EHZjWZfWvsYA6VFHRN7rpR9zv6
                                                                                                                                                                                                MD5:A52D0E2B5EDA30DA599AB9EF536EE43F
                                                                                                                                                                                                SHA1:C2CA58894F9B26B27E090BAB6D483546C1F83F56
                                                                                                                                                                                                SHA-256:F45FBB7D188FEF81BEBFC32F177335FCCB6CE9E9BC014CBB99752D8F085CEEFC
                                                                                                                                                                                                SHA-512:4C9FF15E1BE5B968990726BE10C2A910187E368AA6E9AA55F9235438F036F50B3D04B40DD6C9BC3EFC2AC2C275F2183A750E033AD359646A20A6AF6045E07719
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ..........." ..0..............,... ...@....... ....................................`..................................,..O....@...................)...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ...................... +......................................BSJB............v4.0.30319......l...<...#~..........#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................d.........J.!.....!.........A.......J...n.....,.........................................j.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16152
                                                                                                                                                                                                Entropy (8bit):6.795893683417245
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:bTbUikV/AvcaTAFC2xArKWJtWvjWkWxNzx95jmHnhWgN7acW6swKUWX01k9z3AdF:PbUVJWJtWvCLX6HRN75t2R9zGFP
                                                                                                                                                                                                MD5:A6C3B858EE0CA8E265219DBDD692DA96
                                                                                                                                                                                                SHA1:1A6C76B404ED9ACC793A7C1DAC68FB664FAE0718
                                                                                                                                                                                                SHA-256:44BFFA0D3D0C59AFCB6205071167B52D6AE5DB3E8F167C955FBC5592EE422510
                                                                                                                                                                                                SHA-512:6D466C9A8C5DF820DDFECDCEA511DF858CD7B26958A629D7F0463C0441DA1AE9B1F929C2B19B0B63D1F494C4338855AF2B333FD57E01AAEB99B0E35FDED3FBD8
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d............" ..0..............+... ...@....... ...............................p....`.................................}+..O....@...................)...`......|*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID... .......#Blob......................3......................................................x.....3.n.........^.................I....._.................w.................G...................h.....h.....h...).h...1.h...9.h...A.h...I.h...Q.h...Y.h...a.h...i.h...q.h...y.h.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16032
                                                                                                                                                                                                Entropy (8bit):6.7285494674641
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:0zox6WeWWvYYA6VFHRN7IL/6fR9znQ2BDi:0zoxq3YFCl19zpDi
                                                                                                                                                                                                MD5:11867901021083A68FA4D1FF345F477A
                                                                                                                                                                                                SHA1:FF0889F05B3161F7D27CCC5FE2DF7F9A430D9E1C
                                                                                                                                                                                                SHA-256:CF9436FF6A04184E6049CCBC5C27D638DFE5DE134640C35A4D5873FAA010FCC9
                                                                                                                                                                                                SHA-512:D2B42520FDB3F83C8648047AE1D4E6350F81BDF3D8286C4AF01221DD2DD9B018B5DAA390927170FE49CF4ACB01DFBE63D45CCC4AAF6B451BAF9AA22B239CC2A0
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Mpv..........." ..0..............*... ...@....... ....................................`.................................s*..O....@...................(...`......h)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...L...#~......<...#Strings............#US.........#GUID...........#Blob......................3................................................ ...........^.................D.d.....d...t.7.....d...Y.d.....d.....d.....d...@.d...r.d.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.OpenSsl.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15536
                                                                                                                                                                                                Entropy (8bit):6.831442459723241
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:oz3xAn1e9WABijRWvtWxNzx95jmHnhWgN7awWChD/DoSJj+iX01k9z3AjFDk:i79WABijRWvuX6HRN7v9/DX+iR9zwW
                                                                                                                                                                                                MD5:4C8CC0E429ED432A088EFACAEC656770
                                                                                                                                                                                                SHA1:590F274CA3075533293AD01E6088B473E604602C
                                                                                                                                                                                                SHA-256:738F70CFAC6A793F518DB6E3586F2740BBA663DAABC07672CE2A4918A9EF5580
                                                                                                                                                                                                SHA-512:7C1BA5A2B9B4433C728462928FBA4A3E5C42E3E63EB202F4DAE90C129B31FBB5CA0DB3522ADAAEB29AB2D0D67D4AC476C9EC6959A5AE771DE19AA7016627FE98
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}............" ..0..............)... ...@....... ....................................`..................................)..O....@...................(...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..X.......#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................|.....|...E.i.........p.....+.Q.....Q...[.J...q.Q...@.Q.....Q.....Q.....Q...'.Q...Y.Q.................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c...y.c.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16136
                                                                                                                                                                                                Entropy (8bit):6.7781584154919665
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:ifO9v9WY3WvbYA6VFHRN70zwVXC4deR9zVjTTDS:OOFZ2bFCl0cVXC4dC9zVjTnS
                                                                                                                                                                                                MD5:8B04C9FB125B99DA5BFC0381692A5FD3
                                                                                                                                                                                                SHA1:19746B26152A1A83A0A5B3A736A131CB59287779
                                                                                                                                                                                                SHA-256:825A454E5B4595CA7F105A308288873A9A28F02EEA1A524D395AED224DBD57A2
                                                                                                                                                                                                SHA-512:15F30712C990050A455708CBCF2AF2B18F1FDC4581E5F0A2A3E7992F3AFC8C59FE110273AF9D7FFA9E0D0D7F7844D5C0AD1CD6950C9F235BEC7389B6B5D5C27A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4..........." ..0.............v+... ...@....... ..............................%.....`.................................#+..O....@...................)...`.......*..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................W+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................4...........r.................X.............(.........m.......................T.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):17168
                                                                                                                                                                                                Entropy (8bit):6.744985038171994
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:2Hzoc2l9WWfWv7YA6VFHRN70ORxB+R9z0AG:4zovlru7FCl0ORxw9zXG
                                                                                                                                                                                                MD5:D671EFA2A023A61CCA5729BC5696B4FA
                                                                                                                                                                                                SHA1:B26DFFC059655C32092CFF62F6C6D074C4F2B186
                                                                                                                                                                                                SHA-256:02C67B42BD1C6E8D8954F96C3AB7C00575E7FAAAACCD58A8F60CD20CD74A2D43
                                                                                                                                                                                                SHA-512:0EDA02115C25C6BE1F48D5EF85C87C2889F9ADEACE939F17320EE25EE27BDCE741E18289D7E36E2B1634C2C56AD1EE38C6B1DDE05A735E2CBF910DF4060F0AF3
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c..........." ..0............../... ...@....... ...............................y....`.................................s/..O....@..D................)...`......X...T............................................ ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......T...#Strings............#US.........#GUID...........#Blob......................3................................-.....r...............'...................X.....k.....k...........k.....k...i.k...&.k...C.k.....k.....k.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):2050208
                                                                                                                                                                                                Entropy (8bit):6.677577580791444
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:49152:HUy8hZ9wf3V7i9KAgmJE2Jjd/mxObmVw6Q41x:HU4QRgeL41x
                                                                                                                                                                                                MD5:814F7E26E5AEECCEC424393D142FEA98
                                                                                                                                                                                                SHA1:A9F8B6CB03EBE4E64E2B17FB4E57C17D24B7B00A
                                                                                                                                                                                                SHA-256:60F3B82345E2812DCFDEF98642B2CA707B34C51D917D86615DF309714EF1E9D8
                                                                                                                                                                                                SHA-512:46FF8137B77EF79BF5C8CEDBC35F263AB671641B50E0C16D705B744A9E902E1D6349D58570D3BBF4532CCCDD8DAAFBB30C2173C52E02734B589303516ACB43E4
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....`................................................... ......c.....`...@......@............... ..........................................d.... ...(..........H...p...............................................................H............text....U.......`.................. ..`.data.......p.......p..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.Windows.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):186528
                                                                                                                                                                                                Entropy (8bit):6.415230610741847
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:pSw4kXyyyLNMWWqfY8SJYrjXQori1RqU2TOK1xguZunS:VCyyKSA86YrkorvU2rfj0S
                                                                                                                                                                                                MD5:287EDFA9B689281780A9475A99A587CC
                                                                                                                                                                                                SHA1:B29E4F6C62D1C1FC83BD4DD9F73405F8173FD28D
                                                                                                                                                                                                SHA-256:FA4952DF244AC5DD6D5D36B62E25B2CD0BF844453196D29838638518CB6944B6
                                                                                                                                                                                                SHA-512:7D2BB2334D641E4831C3F2A4A304AB82DAE11B5F06718524B479D27C5B151212692E97A114FA40B7BB8610DB8FEBDE4B2BC2EC8A4C555197D295AF057B636C08
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....T..........." .....`...@.......................................................~....`...@......@............... .......................................N...........(..........h...p...............................................................H............text....T.......`.................. ..`.data....&...p...0...p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15640
                                                                                                                                                                                                Entropy (8bit):6.801577686636654
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:kB0LPxAb0OOi3jWVMfWvVWIWxNzx95jmHnhWgN7acWnwKUWX01k9z3Ad7eTowl5:dL5+WKfWv0nX6HRN7Z2R9zGAl5
                                                                                                                                                                                                MD5:D5AB3127B17D4E08CE04CFD5CC3DB2DA
                                                                                                                                                                                                SHA1:D40032C264C94D084ACC129FD4B467AEA550936F
                                                                                                                                                                                                SHA-256:5F45B771954E4B7DC4213F1E808AA1C01971384F314E17A804595604FA272735
                                                                                                                                                                                                SHA-512:347977CD08F6C7242D8F1557C36340D617E06F2CABBFF8452F16BDA1E57DE105F72C016846717F317357071EA6F874D60CD8F3E552C58EE4B4DD3C0478BCCF86
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....j..........." ..0.............j)... ...@....... ..............................:.....`..................................)..O....@...................)...`......$(..T............................................ ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................K)......H.......P ..T....................'......................................BSJB............v4.0.30319......l.......#~..4.......#Strings............#US.........#GUID...........#Blob......................3..................................................=...x.=...3.*...].....^.................I....._.................w.................G...................$.....$.....$...).$...1.$...9.$...A.$...I.$...Q.$...Y.$...a.$...i.$...q.$...y.$.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.SecureString.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15648
                                                                                                                                                                                                Entropy (8bit):6.831749206420305
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:4FMYodxAanD/YHWl3WvM2WxNzx95jmHnhWgN7agWGhHssDX01k9z3AeKD++zEA:41mVDQHWl3WvM9X6HRN7pFDR9zzKaM
                                                                                                                                                                                                MD5:B815AFF49D8A185341D31ABAB43F4DB0
                                                                                                                                                                                                SHA1:BF661D387D2FB9FF3BBD51B5412B4B395A76EA01
                                                                                                                                                                                                SHA-256:D788B912A2FCADA28A9A1E2D221AACA429D20A420B05315F173A5A5365BF3D5E
                                                                                                                                                                                                SHA-512:BC07CA500FCDD762032D5911C303DBC28B1E720D32A91129B3C1C07A8B01CDF73DB82E69D5C02571001E06D83C2589B40EFA23CE1820029DD0156A6098403762
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....I............" ..0..............)... ...@....... ..............................3x....`..................................)..O....@.................. )...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..D.......#Strings............#US.........#GUID...$.......#Blob......................3............................................................3.Z.........^.......B.....B...n.;.....m.....m.....B...S.B.....B...w.B.....B...:.B...G.B.................T.....T.....T...).T...1.T...9.T...A.T...Q.T. .Y.T...a.T...i.T...q.T...y.T.....T.....T.......................#.....+.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):18592
                                                                                                                                                                                                Entropy (8bit):6.50782634151712
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:uW7XHkE3jDvupZFiVyJjxA7A63WwDWvtpWjA6Kr4PFHnhWgN7akWWKIjwX01k9za:5If+3WwDWvtYA6VFHRN7EHR9z0A27ELu
                                                                                                                                                                                                MD5:042B64BA15515B5ACC1B53D31076EADD
                                                                                                                                                                                                SHA1:C8D810607D642B7D63C4F0A70FC5D891CD0C4D83
                                                                                                                                                                                                SHA-256:5CD2E42D0C8C3BEAD4B8BD993750A3D5D266039DAA52506F7BFC27783990226E
                                                                                                                                                                                                SHA-512:E624E89ED367F0C91D8B597CB351A030ECD6FC0CBE45AE5AD5F48A45D76C0C3F28EF8A4BFDFD32D37E51A7555E7FFC74B0CCE5E751FF0CAE6F8C7E8A90F9953E
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............." ..0..............4... ...@....... ...............................J....`..................................3..O....@..T............ ...(...`.......2..T............................................ ............... ..H............text........ ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................3......H.......P ......................P2......................................BSJB............v4.0.30319......l...H...#~..........#Strings....h.......#US.l.......#GUID...|.......#Blob......................3................................O.....................0...........3.......x..... ..... ........... ..... ...r. ..... ...*. ..... ..... .................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceModel.Web.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):17056
                                                                                                                                                                                                Entropy (8bit):6.6307312364714805
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:P4n7palYIWo5WvLpWjA6Kr4PFHnhWgN7aIW3k+2NowcLK+X01k9z3AcjTvGY:OmWo5WvLYA6VFHRN7gk+2N6R9zdTGY
                                                                                                                                                                                                MD5:17B940218F1B5A16BC7576F345C3CA04
                                                                                                                                                                                                SHA1:CC64810DED8E394421DA7B9521CF5E4EBE977D59
                                                                                                                                                                                                SHA-256:BE6B73071C8E8BD1EF4702CFE2A5AF73A926D64996479DF2A6E296F942C4DD3C
                                                                                                                                                                                                SHA-512:3B323281E07A6A207AA23B255AAF1D4E958C8844627CBEAF8413A9B3B234A88B12593E2E0F33AED0EEF10A4D17D384513A1034E85D9FB3ED7969C6B83C68C9B6
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ...@....... ....................................`.................................7...O....@...................(...`......H-..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................k.......H.......P ..x....................,......................................BSJB............v4.0.30319......l.......#~..8.......#Strings............#US.........#GUID...........#Blob......................3................................&.....................?.................%.].....................&.................>.....[...................{...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceProcess.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16032
                                                                                                                                                                                                Entropy (8bit):6.742653380857255
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:2h/pWnylpFWvcYA6VFHRN7z1649R9zri8a2:2hXqcFClA69zX1
                                                                                                                                                                                                MD5:B690D3E96E11B84ED793FC571EA0A78F
                                                                                                                                                                                                SHA1:9D9090E5A702750F4CAC744D1D7651BBA6BCBE7A
                                                                                                                                                                                                SHA-256:7BB1C84D14EFCCBCB84A1F075CC00814757DF752E80A6FC472A1A4FAC9E0C97E
                                                                                                                                                                                                SHA-512:CB0971C76761455A6D226227442B2A28339C939381D26AF38C91DA23E38883915E712F2966FEEEF090A9996A993A45633C14AA2BBF6C94092245FA9553F38F0A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[y=..........." ..0..............+... ...@....... ....................................`.................................;+..O....@...................(...`......P*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................o+......H.......P .......................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................!.........f...........\.....:...........B.^...H.^.....;.....^.....^...+.^.....^.....^.....^...p.^.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.CodePages.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):862368
                                                                                                                                                                                                Entropy (8bit):7.456874615261393
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:5f7xn7kZQ6kliVreJIHHr0tRYbKr2KtG9VKABC6rPQYBKgTWeUAm:5D9km6k/IwRYbiBeKGCHYTy/Am
                                                                                                                                                                                                MD5:BD45A5557BDB95B90A2B51CE1C82E868
                                                                                                                                                                                                SHA1:576C6EC24EA8DAA10FB7C8360B867C26A78CD9FB
                                                                                                                                                                                                SHA-256:F22C997008FDA321A85557778F5BF95F369AE6DB161A52D4BB08CEA6991215A2
                                                                                                                                                                                                SHA-512:989CB3A5B896644775CF5874E99E8DFDA3654AF6D7E8AEA7B38769078B67CF2B87B475A0D494D1717E83C4CA7A11B15895B01BD0C16D122F101E1FC46EC05F00
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....+............" .........@.......................................................O....`...@......@............... .......................................B..p........(......<...8...p...............................................................H............text............................... ..`.data...`!.......0..................@....reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16032
                                                                                                                                                                                                Entropy (8bit):6.712115863132619
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:9CAmXhpuwx9HlWgJWvJpWjA6Kr4PFHnhWgN7agWtYJxu3O6YX01k9z3AnE9:9qxvrWgJWvJYA6VFHRN74YdR9zKE9
                                                                                                                                                                                                MD5:8DC6E3FB54FAA14613CE7A90722569E4
                                                                                                                                                                                                SHA1:87F0EDB5AEE1326917F74586B8985C06C4246E60
                                                                                                                                                                                                SHA-256:08E5A63DEB24F9F9DF1AA4128F2020644A86EDC8CC42D23D3E5E4E00A4A1F52A
                                                                                                                                                                                                SHA-512:B29AF1804677F24B4E2A9EFBA474C66580F530C09B001E747D9E6676762FD0025D23B6CA2A400F2EA7B09ED7469F160DC32D79856DF30031FC55204EB8C9B936
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s.$..........."!..0.............N*... ........@.. ..............................#T....`..................................)..L....@...................(...`.......(..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0*......H........ ..,...................P ......................................5.Q.....Q...s..Wc....N.f%.........}.8........vB......o.b..3.R...J......2.ED...hg.x..&.F....5...6.xD_^../..G. ...l`,..[.\BSJB............v4.0.30319......`.......#~..`... ...#Strings............#GUID...........#Blob......................3......................................O........."...........;...........f.!...!.z.....z.....s.........;.......z...[.z.....z.....z.....z...B.z...O.z...v.............

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16032
                                                                                                                                                                                                Entropy (8bit):6.7004639534089705
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:puw2W9NWv5YA6VFHRN77vhk7vDX+iR9zwB6:puoc5FCl7pEDuO9zR
                                                                                                                                                                                                MD5:B68AD44BDAF4F427A9E17E58326AC076
                                                                                                                                                                                                SHA1:6274AB86C6F1F2A0BC2C13C541BA970AB7B7090A
                                                                                                                                                                                                SHA-256:5A33C014C9AD5C8A60E889F80F1D9E4B3D36DD10FAB49BD1D2538325E7B6EDAB
                                                                                                                                                                                                SHA-512:1911C839E162A8FE4ED80A5CADCB9019D74E07CFEDFD68AE151A66D0B38A9A601CFE458EA1FB79B608A799618C454EC70C971A5F3EE92C96E35BCE77C3604907
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............*... ...@....... ...................................`.................................a*..O....@...................(...`......x)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...T...#~......T...#Strings............#US.........#GUID...(.......#Blob......................3......................................M...............x.....3.....7.....^.......m.....m...I.f..._.m.....m.....m...w.m.....m.....m...G.m.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encodings.Web.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):133280
                                                                                                                                                                                                Entropy (8bit):6.118931111888508
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:7mTuj37yym3E5T+zpq5D3lhjdPTp8K76+d05Hzdy+NXMBpm4+SqUNiNxCzQd:7mTuq33E16qvZ5N77uLLN8BkSqUNACkd
                                                                                                                                                                                                MD5:1829B95B9A2AB17DA9612B1529D5DF0C
                                                                                                                                                                                                SHA1:C6B08686B182940D659D9E12251D8CBB02602BAE
                                                                                                                                                                                                SHA-256:E73E129E5AED0F39F9147CD1FF2E047B01227AA791943D69A1DE4785B9598FB4
                                                                                                                                                                                                SHA-512:FF687A80F9DF35DE0CA2A606763631D21D3558F9702028C2E50E20FA46FF4401DCE4585D69222E64988EF7221276363B264C1CFEDA2F67F9FB132839FA7C8E39
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....S..........." ......... ...........................................................`...@......@............... ......................................|-..X........(.......... ...p...............................................................H............text.............................. ..`.data...}...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Json.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1501456
                                                                                                                                                                                                Entropy (8bit):6.703064329512441
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:24576:iNDUuuRgw5xH6D9+YFVCwIbvRz6ySHAJcEVAvM8UbUJnBpK95:8vmTH6DMYTCwIlzPScp8UJ
                                                                                                                                                                                                MD5:44E63A84FC57C49E4F2FA313CF651CBF
                                                                                                                                                                                                SHA1:65240A270AFB9C06B65BB08ABF2CB8C1FD44EE97
                                                                                                                                                                                                SHA-256:DC8B1118B266EC750AF5B4480869E01A97751A2F55352AC6908CEFB4A59499D1
                                                                                                                                                                                                SHA-512:A0078A0FE7C8A092E71841287543E276643A0B469DA77D11B78F7857A6D5A1099FF6E4CE67A7B9992B60D97184922EA118AFD378EF4A357943D054A796456491
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....%..........." .....0................................................................`...@......@............... ...................................... ............)...........R..p...............................................................H............text....&.......0.................. ..`.data...\Q...@...`...@..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.RegularExpressions.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1022128
                                                                                                                                                                                                Entropy (8bit):6.821588247611613
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:24576:7PNtms1Go9Fz7KPTT8inDiv67tA2ehjEnQKL:N1G457KLTRivKehjg7
                                                                                                                                                                                                MD5:66FEE2E52A143A1227E062E88F4C3C19
                                                                                                                                                                                                SHA1:65F5B79A84F89C820DE6273D0F7F323189C81FF4
                                                                                                                                                                                                SHA-256:B9FE1181B9C0504D97940331B47DA8817BE5C202A0D57C2B92FE6909972F2012
                                                                                                                                                                                                SHA-512:36E1CDB8C5AD2064F46BC30FF2F3742DE94D057C0D7ECCC1B1AFE1416EAD3128673CF35768396289FD34249324AE2958B0EF9C1E06298D533FCE7B40EBECD1A2
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....mL..........." .........P...............................................p.......q....`...@......@............... ...........................................G...p...(...P......h...p...............................................................H............text............................... ..`.data....)... ...0... ..............@....reloc.......P... ...P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Channels.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):133400
                                                                                                                                                                                                Entropy (8bit):6.277895373459539
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:Zj3t+/k1S+F3g2vlsEjd2fzs6FlsdJQ/WoioIa3cBPdzcWxRC4dezFTDkn:Zj3tYkwQQQmEjd2ZFli6/riY5avItDkn
                                                                                                                                                                                                MD5:4D0F0F9563809C92DD1A38DEB4E24F33
                                                                                                                                                                                                SHA1:03D2328EFB08D1E86686F8876595A162753BE374
                                                                                                                                                                                                SHA-256:20DDABA930EE090B47FA38722EB0D5D23C9F860E45B3A2C1F03CDB4EA1B69C53
                                                                                                                                                                                                SHA-512:DCDE9B8BEA8DD1111B2908FF89C96FD8CAD0812881E359EAB59BDF13451F5FF1DD50EADFC2FA2489B8B60A90926DBADC9D4641196974C65442006B0F142B5ABA
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...7.<..........." .........@............................................................`...@......@............... ......................................L7...........)..............p...............................................................H............text.............................. ..`.data....#.......0..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Overlapped.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16160
                                                                                                                                                                                                Entropy (8bit):6.742004031944957
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:PHYCHwcH9H8HzW8HWvdBX6HRN7YRxB+R9z0xfb+:KfGdJWYRxw9z9
                                                                                                                                                                                                MD5:0F9296306DE9D1BCCE253FC647D1E8D6
                                                                                                                                                                                                SHA1:2ECA5248F203D94813F3428A3C3A82CAFE973635
                                                                                                                                                                                                SHA-256:D6AB3875C8FEAF7D6FD9B1EFD18B1FFD10FE46B2FF3A2F24D7FA5D16F927EC0F
                                                                                                                                                                                                SHA-512:C2A5F479BFEA3357BE02E3C1340C303DD4D20CF3F6A78A6092FB2ED9E3315863F9F8A8673BE7927FF7B9FCF1210C50B90BA6123CAF1F845033EDB7276ACE33BD
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....VT..........."!..0..............*... ........@.. ....................................`.................................;*..P....@.................. )...`......@)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p*......H........ ..p...................P ......................................).....Q..$.?o&p]...0.~%.0*s{&;....[.=...A|>.k..9EQ.jH.n....D 4........g./...T...6..SO..CD.V..........UK..bg. q..3.?.tY...v.9BSJB............v4.0.30319......`.......#~..p...H...#Strings............#GUID...........#Blob......................3......................................................4...........7.......c...{.....V.............c...t.....}.................9.....................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Dataflow.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):489752
                                                                                                                                                                                                Entropy (8bit):6.715559969531241
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:X/ZX6ZS+34JkIT8tA7nPgNK4pFI6yB5v3Jx45WX9gLP:XV+Icur4vi5v5x4IX9gLP
                                                                                                                                                                                                MD5:902DE8298523A79CF1F6E013E4CDE766
                                                                                                                                                                                                SHA1:0D797B0D06D107A8DE21F72C2ECB6292E5E0F0ED
                                                                                                                                                                                                SHA-256:E383DE92AA93F424FAEED789CDA2B920699D4A6EC805E5FD46833DAC9CD319A6
                                                                                                                                                                                                SHA-512:4C0A192E7D6E9BDE627546ECE7287D41184E4FD91AE0DC87D660B5894BF210C27F3E8B1F3E8F5B568ECEF6C29D8AC2980970575EC2ACB6E696391AD88FA9D666
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........................................................P.......?....`...@......@............... ..................................h......,1...P...)...@......`"..p...........................................................h...H............text...*|.......................... ..`.data...M...........................@....reloc.......@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Extensions.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16048
                                                                                                                                                                                                Entropy (8bit):6.76076698039701
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:RCVT05B091ncmYdJfFWCXWvL4X6HRN7N49R9zriD:8VAMopWL4WN69zu
                                                                                                                                                                                                MD5:1748BB8AE9ADB170599FBBF94B472B8C
                                                                                                                                                                                                SHA1:A8C8C75A96743945325B9FF652FC99F3037EBC4C
                                                                                                                                                                                                SHA-256:578E16D2A7B2C1647F925A611962CF256D8915121B86B5A9EDDEA82A9B3C012F
                                                                                                                                                                                                SHA-512:08A8E6F71445C2D84075111B889618B7935D70312A33E165525210DD96EE9DE5287118443A87EBE6811CBB0334F574762EC2CCFB8A63E625D3173559EB959EE4
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............V+... ...@....... ..............................J.....`..................................+..O....@...................(...`.......*..T............................................ ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................7+......H.......P ..0....................)......................................BSJB............v4.0.30319......l...d...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................s...............1...........A.......O.................................W...........1...................p...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):133296
                                                                                                                                                                                                Entropy (8bit):6.342375712378606
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:UzCkkW0glfG6WVKdrhYnS+5On3kg9dE8rVP9kiTL:0kWxI6WVKVhjg8rVPOif
                                                                                                                                                                                                MD5:8B391D187DB389BE181E700081C81906
                                                                                                                                                                                                SHA1:EE3E0803D217FC947EFA6BA2D51CF196337EA4F6
                                                                                                                                                                                                SHA-256:C44D73E3582228CAE2CDBFE74F6A60D11B4E1B4FCBD7343FA52F3C3C12AEA770
                                                                                                                                                                                                SHA-512:0D89BEC917A2E82D39EDB089E8AF23C9732FA67205391709608DD0AA826DF5C9FAA9FEC4C265F7ED6AB8D109D620C878AD97F4F9EC8DD6D3CD1E6222DF007DBE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...r............." .........@............................................................`...@......@............... ......................................44...........(..........@...p...............................................................H............text............................... ..`.data....$.......0..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):17056
                                                                                                                                                                                                Entropy (8bit):6.608161458975255
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:4af4fk3CB2oqr9z9W7zWvCYA6VFHRN7Ki7Bmo8R9zYqgg:4af4B8ozyCFClKOmoQ9zqg
                                                                                                                                                                                                MD5:B252E2C17A4297DBB90BFCE9C66DB845
                                                                                                                                                                                                SHA1:2BABEE3632DE7471E338A95796E19596DEB1CBE8
                                                                                                                                                                                                SHA-256:35890B7AF3C51962D8342BD17DF24289438459971C0972DDC67E47534C78B790
                                                                                                                                                                                                SHA-512:31E6AEEDACEDF07EBF9BA7E26F40779005CBC11AAAFB86559F50652EAE5A1C7948706642F7D034AB6358DDB8A9E9CF952840F6DAF61C87E912C1A2FBE456FD59
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....2..........." ..0..............-... ...@....... ..............................(-....`..................................-..O....@...................(...`.......,..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P ......................<,......................................BSJB............v4.0.30319......l.......#~......H...#Strings....X.......#US.\.......#GUID...l.......#Blob......................3................................&.................o...w.o...2.\.........].................H.....^.....-...........v.................F...................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V...y.V.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Thread.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16032
                                                                                                                                                                                                Entropy (8bit):6.750565769577352
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:qBz2EM0u8ZWI7WvtYA6VFHRN7ptHNsAR9zF0+T:qlE2KtFClXts89zmU
                                                                                                                                                                                                MD5:A1A92B8791B4D56C7B6E335483E38135
                                                                                                                                                                                                SHA1:8C9D7FC7B452C7993313D349722A2C25283BB53B
                                                                                                                                                                                                SHA-256:9B1F4F2C7FC17D2CD4F49FECDD6B8D71C77998F54509EF1B28F2910DC9A6B618
                                                                                                                                                                                                SHA-512:B03148C8FB0F67F5D1C2ACBFF7BE34C8E5D9E17B4FDF60C85AF3437815AACC69DE8DD3E693B44C7E40EA8228EA1E3399849646666046E218972F2CAB8B15CB29
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0.............^+... ........@.. ..............................(v....`..................................+..T....@...................(...`.......*..T............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@+......H........ ..D...................P ......................................,......#...>....'._D.Xf..........jgO...e....(.."..e......)>. ..rn.Q...2......i$)..>gC..=.a.f.u...H.].p../5...O..../3..BSJB............v4.0.30319......`...|...#~..........#Strings............#GUID...........#Blob......................3......................................].........U.@.....@...n.....`...........T.............y...0.!...9.!.................................u.............@...........

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.ThreadPool.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16160
                                                                                                                                                                                                Entropy (8bit):6.725064482931626
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:Ji92Uc6uQWcvWvdEX6HRN7fDRxB+R9z0W0S:JWL+dMWrRxw9zD0S
                                                                                                                                                                                                MD5:0C62633F770757272D10CABB6C8BC0D0
                                                                                                                                                                                                SHA1:378122B24AA5B589CE11B3EFC9CBDF3F5BEEE148
                                                                                                                                                                                                SHA-256:7A22A638C6A751B85D112D9A1E929E7FDC2658856A4FE08B9F1DE2019757717F
                                                                                                                                                                                                SHA-512:487244ED650E0039B3425F6C1E56F59694503BD418A3D0C2A8F57464AE06F7CC06AC917DD92C00D032EE330D8A49909BD5E8B269A8D93D4094B27BB92C2EB9BD
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~o..........."!..0.............N*... ........@.. ....................................`..................................)..X....@.................. )...`.......(..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0*......H........ ..(...................P ......................................Q+....+....N[.z....u^....G.D.^.Y...w.1..Hoe....+f.?V~........4.AU3...._4..T...K...4^s...n.......u.t...H./S...u%.g..|'...jBSJB............v4.0.30319......`.......#~..`... ...#Strings............#GUID...........#Blob......................3......................................P.........7...........P...........{.....6...................................p.......................W.....d...................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Timer.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15640
                                                                                                                                                                                                Entropy (8bit):6.779164699458774
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:VRF6PxAdql7SNMWbCWvY7WxNzx95jmHnhWgN7agWLgj3LwKUWX01k9z3Ad7vvp:TF65oqRSNMWbCWvYUX6HRN7KgM2R9zGN
                                                                                                                                                                                                MD5:38366E6D059554EFAAB623EF614C3357
                                                                                                                                                                                                SHA1:DB0D245CC6F0442B2851EFCA589F84AF1111E07C
                                                                                                                                                                                                SHA-256:8AD0AB3216F296F993EB9FB0D911B202E0D3B435A63D35E3133B191DBCBDC8C9
                                                                                                                                                                                                SHA-512:12CFA64DF5B3D7D407AC1B3DFF2AB0E1ED22C38505B6A7FE51741B3E8692E416ACCE744AD4600CFE0BE2522FF5011C4EE656C9200D6DBC267D48217F6E4FD8D7
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............." ..0.............")... ...@....... ..............................!.....`..................................(..O....@...................)...`.......'..T............................................ ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................`'......................................BSJB............v4.0.30319......l.......#~......d...#Strings....|.......#US.........#GUID...........#Blob......................3..................................................3...x.3...3. ...S.....^.................I....._.................w.................G...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):84128
                                                                                                                                                                                                Entropy (8bit):5.965475930237355
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:rRgoICPT0eXImrmODZcUBeZ8j0qEHawde3qGRm3LGgmi5zS:rRgo9PpYFtZ8j0qEHawdezRYGgmGW
                                                                                                                                                                                                MD5:2552D8702CCE0128057F347BF760AD72
                                                                                                                                                                                                SHA1:F32D9D8051C0820CF92D6D326D7CD65226850A75
                                                                                                                                                                                                SHA-256:5F4184FD0607DCB2E3006118B618AAC3417B9C52E51C6D58C9C396A1F6AF9720
                                                                                                                                                                                                SHA-512:F25554ECCED6E7FF8FA370C8A2D526A204BA7139AA944E4B42F010F30A199DD7C0D434A187DB9CD97CCFB054B9810E059BD3A50C5E0C2B40594C741F289B2DFD
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......... ............................................... .......@....`...@......@............... ..................................`....'....... ...(......T...`...p...........................................................`...H............text............................... ..`.data...............................@....reloc..T...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.Local.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):661664
                                                                                                                                                                                                Entropy (8bit):6.673728367333183
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:4J5UP48Vd00bmWIQf2VQIhS3dzGpepguWC4bVUl6lJlD2EL66zP0ARZ9dn3/sx1w:5PJddbmWnf2VQ9bgnzVTFD2S6isx91o3
                                                                                                                                                                                                MD5:537F45E761B7BF2593E86778B1AAC461
                                                                                                                                                                                                SHA1:36F5AF91AC751FF1DDAC5297E0835388335706C0
                                                                                                                                                                                                SHA-256:A5E3E04CA99F4B82C761370508EBE6E1DC7FE6B9463E904BA408AFDBC16D5272
                                                                                                                                                                                                SHA-512:32D9A9C892422CACC9A7554719076DAD65AF3B31C8402247804CC5B66216ACBBE8D773AEB540DC98421E43659BE284E41F60DEEDBF4FE0928302A0CB4997AF49
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...g............" .....@..........................................................S.....`...@......@............... ......................................`...hI.......(...........4..p...............................................................H............text....5.......@.................. ..`.data.......P.......P..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16656
                                                                                                                                                                                                Entropy (8bit):6.71053707165234
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:jmw3RJOW0iWvJYA6VFHRN7pORxB+R9z0LLZ:jn3RSDJFClpORxw9zC
                                                                                                                                                                                                MD5:08BFE95432A413747BB05DB5AFE50AE7
                                                                                                                                                                                                SHA1:1D937A7A2B29061B0A52AC4B659ADDFBB4DC2030
                                                                                                                                                                                                SHA-256:8FF2322E5F56AE15E026EE299C3E437EF9FB581AB50C688E2870C9DC55C90411
                                                                                                                                                                                                SHA-512:6784366CA92DCF063898E43B48538909FFD9DD5F4F8A70DAD7007A21BCC50B24899849439E33AE01DBE81C7AC3F2E48A69B499B116918F3F8AACD238994D005C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:............" ..0..............-... ...@....... ...............................7....`..................................-..O....@..t................)...`.......,..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................-......H.......P ......................<,......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................$.....3.........0...........D...........o.....*.1.....1.....K.....1...i.1.....1.....1.....1...P.1...X.1.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........C.....L.....k...#.t...+.....+.....3.....;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ValueTuple.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15520
                                                                                                                                                                                                Entropy (8bit):6.796904916610158
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:P/hssWCGWveYA6VFHRN78ZpIyqDX+iR9zwf:PZ/neFCl8PkDuO9zC
                                                                                                                                                                                                MD5:A3E2E4ED94A51EDB3C95A3E50B448D0E
                                                                                                                                                                                                SHA1:CE3C27BD57BDEE41D509C1E7C4BD15EB9EEDE7C2
                                                                                                                                                                                                SHA-256:ACC824E034064DEE4A74C3F2C1CAB36C1FFB07773405168AA5FD1EA5026CEFDC
                                                                                                                                                                                                SHA-512:554727273BBAF9B740653223560E851451CAC889F013D42F23F4D7321D31BC86F231A08DCCB715B081FB0F2908E95D037399CF5CF8A4A2FE7F3AD493083FD519
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....J..........." ..0..............)... ...@....... ....................................`..................................)..O....@..d................(...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................D(......................................BSJB............v4.0.30319......l...,...#~..........#Strings....d.......#US.h.......#GUID...x...|...#Blob......................3......................................E.......................z...........+.....b...Q.b.....[.....b.....b...4.b.....b.....b.....b.....b.....i...........t.....t.....t...).t...1.t...9.t...A.t...I.t...Q.t...Y.t...a.t...i.t...q.t...y.t.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.HttpUtility.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):59672
                                                                                                                                                                                                Entropy (8bit):5.885523824307154
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:rn/dGA98odbfSYCDVgHvwkcm7WwvCwmEWGzR:rnrq7KHoTeWSNtF
                                                                                                                                                                                                MD5:EB5B2FB46C0F5AB93ECA0C5DB054FFE0
                                                                                                                                                                                                SHA1:E1AA25DDD2C359FB08B260180B8AE3A651953A33
                                                                                                                                                                                                SHA-256:77B8748C3ECDA6E06BFFAFE34F14840185E2AE2FB3ABE3A4F6B577323C23EE62
                                                                                                                                                                                                SHA-512:EB9128389C0C3F36D832118EF706761A08D9AE33789AFE190023B3170D2ED11C7E8EC704D45544B775AC94F46CC673C09D582AC6927E8445747851D747DC9875
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" ......... ............................................................`...@......@............... ......................................< ...........)..........H...p...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):15632
                                                                                                                                                                                                Entropy (8bit):6.740344128283329
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:6GqxAsOUWoo9WvDpWjA6Kr4PFHnhWgN7agWH4/KfKUSIX01k9z3AGoi7GtK:4LhWoo9WvDYA6VFHRN744o2IR9zXR7GY
                                                                                                                                                                                                MD5:EFACD5C037B280E814A636B399BA51F2
                                                                                                                                                                                                SHA1:FF434841129277A5F37E4D9F2B373D17376A9F62
                                                                                                                                                                                                SHA-256:7F2AEBB25BBC9B473D639AD55BA2470EBC50A805C89BDB7FF3CE47A92DF1FFDE
                                                                                                                                                                                                SHA-512:E161A026358E520A2494C05676DD9C658184388A33EA12F0441C34B7F7D6D75F18D814B24132381B6D4C9199BB916C9F06C33E919D2F8750EC19399891025A38
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............(... ...@....... ..............................m.....`..................................(..O....@..4................)...`.......'..T............................................ ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P ......................D'......................................BSJB............v4.0.30319......l.......#~.. ...D...#Strings....d.......#US.h.......#GUID...x...|...#Blob......................3............................................................>...........i.....$...........T.....j.....9....................... .....R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Windows.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16136
                                                                                                                                                                                                Entropy (8bit):6.7201571212077225
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:XUnaHtGxAeWyixDWDSWvmpWjA6Kr4PFHnhWgN7acWPoAgfcMbnoQNpX01k9z3AZ+:eaHtsviRWDSWvmYA6VFHRN7uo/7R9z5z
                                                                                                                                                                                                MD5:F038E35B176485760C5D92877E33EE0C
                                                                                                                                                                                                SHA1:62974D42DFC93E87ABAA78EFC0E13F73667C380D
                                                                                                                                                                                                SHA-256:15E3C48D3C693F7182221BF369A528B33C99EE00C2E3840ED35F600FECDAB77D
                                                                                                                                                                                                SHA-512:2AC72E17F2ED3120130383FD1FEDF34329E53D19F5CA922796B7DD9561DCBF1E4246DE481677E51884C785215A684A4EAD29066504DA35EBC6B810DD3AF6F446
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%.h..........." ..0..............*... ...@....... ....................................`.................................M*..O....@..T................)...`......p)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...(...x...#Blob......................3......................................X.........U.............................y.....7.......k.................................u............. ...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Linq.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16032
                                                                                                                                                                                                Entropy (8bit):6.684545508308997
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:+t1KdJWg4WvvQYA6VFHRN7N3GtHNsAR9zF0T:+tMdtJIFClNEts89zmT
                                                                                                                                                                                                MD5:AAD69625CA4EA9ED2176D8E11DB56E2C
                                                                                                                                                                                                SHA1:3F3D9E94B07D40135DFB0A294002BA00BF866E6B
                                                                                                                                                                                                SHA-256:97C5A3EA6CC5086323EACE63B8DA07DA484055CEDA72856B98BDD507A6080B02
                                                                                                                                                                                                SHA-512:7C7614D77604B4E94E1C7AF45F0642DB8C8553D8AB2ECCD166EA4BADCB23802D191B59466E3C1F3DBC29B1CAEFFB2C666BDD1C9082613CFBB8FCFEE70D1FCF24
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............>+... ...@....... ....................................`..................................*..O....@..T................(...`.......*..T............................................ ............... ..H............text...D.... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................+......H.......P ..<....................)......................................BSJB............v4.0.30319......l...$...#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................L.............................p.@.....@.....,.....@.....@.....@.....@.....@...l.@.....@.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):22296
                                                                                                                                                                                                Entropy (8bit):6.376173260415304
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:IT1G5qkxK67ex4FCh0eWYAWvlvX6HRN7aEw4R9zE8J:IJ6LS0YhBWajk9zJ
                                                                                                                                                                                                MD5:E08002B259471A203FB54A3142617115
                                                                                                                                                                                                SHA1:FB0EDC0F656F850EC49740479C78251A8FEEF35C
                                                                                                                                                                                                SHA-256:1A10820BEED89FE0A72D2D6A9E849001590B35625006EF53F67EC4981964B231
                                                                                                                                                                                                SHA-512:ACF5C0A39460A24F0687D84BE6B435B1E57BB90D77A13DA712CEAAE4B8409960FF21509F3E857D489ABD6827D8FAA635EDB4FEDF4141C7BFB858AAB4EC6D4C1E
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..$...........B... ........@.. ....................................`.................................wB..T....`...................)...........A..T............................................ ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................B......H........ ... ..................P .........................................Tz...7c...a....l..iDj<U.....s..k....T_.83..AAY...R.S.I~!...q.|.....".,..m...0.=..#...Kk+M.g...q.....jkM..M.....$.mIBSJB............v4.0.30319......`...|...#~......8...#Strings............#GUID...$.......#Blob......................3............................................................G..... .......b...-.....f.......i.......................................[...............................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Serialization.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16544
                                                                                                                                                                                                Entropy (8bit):6.621378907680227
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:s0WLW7yEqHWvWYA6VFHRN7i3tHNsAR9zF0RGRv:s0WkyEqGWFClkts89zmRGRv
                                                                                                                                                                                                MD5:065469DFC7A55B2575D432CC2EB20B75
                                                                                                                                                                                                SHA1:26C4271164F9A0D5F02C6EB79BF1A95E77D715F6
                                                                                                                                                                                                SHA-256:54C25CDE74F7FA7C164E5E8C90BBBDB1A4F84ECD4B3C6F542560A6CC8BC55E4D
                                                                                                                                                                                                SHA-512:BCAAA07A1DEC59A5B64D2034D30741EED9C00159EF4AE42C79896709C65B5982053074BC7621B818523B608B663845C853790B3AD6A484109696CF4690533685
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............N,... ...@....... ....................................`..................................+..O....@...................(...`.......+..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................-,......H.......P ..8....................*......................................BSJB............v4.0.30319......l...4...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3......................................".....................X.................*._....._...B.?....._...'._...Y._....._...3._....._...l._.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XDocument.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16032
                                                                                                                                                                                                Entropy (8bit):6.760114531130961
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:KLIiUA/xzgWddWvBpWjA6Kr4PFHnhWgN7akWMgtUtxu3O6YX01k9z3AnQQO:KLjJ8WddWvBYA6VFHRN71JR9zKQQO
                                                                                                                                                                                                MD5:F5C6679493D864440EE6A19B508D21C4
                                                                                                                                                                                                SHA1:8D34E56F84ED52F3AEAC4E074505D2BCED16A189
                                                                                                                                                                                                SHA-256:52FD1A9D7666DB207E9F447A2F0C530C43539370633F1A8DA4CB930B9F62B420
                                                                                                                                                                                                SHA-512:5082DC05D0B99449F2B5231614FA988A990313DEE7F96A49600C2CBBAE50EA1AF453C77EA018156413849541129836AFBCDDD1D6053D94A00C3D2D51FCCD3419
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............+... ........@.. ...............................n....`.................................m+..N....@...................(...`.......*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P .......................................&.H.....y.V!.. hs..p/M$..HQ.....Y.<.k/.q.&.9.....m.R...f.BgH.WL....c...:7..N#..[...5cxJ.t@.?...Z>e........~x.......`6).BSJB............v4.0.30319......`.......#~..d.......#Strings............#GUID...$.......#Blob......................3................................................L.............................p.L.....L.....8.....L.....L.....L.....L.....L...l.L.....L.............................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):30896
                                                                                                                                                                                                Entropy (8bit):4.273248077657323
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:JWHeWv4UpNUVBZu4xVXY7mWWxNzx95jmHnhWgN7agWGKIjwX01k9z3ABC/XO+R:JWHeWv4UpNJWC7AX6HRN7uHR9z0C/XOO
                                                                                                                                                                                                MD5:77D0B6E9DB4FE2D47149541ABB658C2C
                                                                                                                                                                                                SHA1:2D9349D25164FE01369B12FBBE392E5602F4FE5A
                                                                                                                                                                                                SHA-256:E8F7DE93A7F5F6AD2A909B4B849C594EB872498D1F491DCF2EEBFC740EDE56A0
                                                                                                                                                                                                SHA-512:47DE7B112EAE0F6AF383CBAC202DBF1417A3EDD6C3C0EAFC136E99E871AC819D5DC0D5507CE570F371B41D8B6E651960B09BF36E230F056982922CF16D3E0244
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....."..........." ..... ... ...............................................P......b.....`...@......@............... ...............................................P...(...@......h...p...............................................................H............text...3........ .................. ..`.data.../....0.......0..............@....reloc.......@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16032
                                                                                                                                                                                                Entropy (8bit):6.7207100865383165
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:cCA6iA+GWZvWvZYA6VFHRN7zr49R9zriC:qs+R+ZFClzr69zZ
                                                                                                                                                                                                MD5:F0366F13E8A05F94B99A8CF97734C0CC
                                                                                                                                                                                                SHA1:9AFFFAF9AA03E4B982662A951C6704DBDD4D82D2
                                                                                                                                                                                                SHA-256:468A023FAE4823A00132B0D91EF77CD783A474B8AB16441AB5C879CB022397F4
                                                                                                                                                                                                SHA-512:AA4D08B1101F0F2D54E5C48199671674B2AFBF7A1B7F8E22752984CAA684931E1BA5D361EFE3585A1E66F7625ABB22F63415B9F69F9DC6EF4B7E697DE459B688
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.t..........."!..0..............*... ........@.. ....................................`..................................*..N....@..d................(...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................*......H........ ......................P .......................................8.e+...&.......x.zX{.0{.O.<...c.d.p....p......H..XT-~.c_N.;....3B....I.........Mc...W.P....h..3...z.qo.*J..=...).E..fBSJB............v4.0.30319......`.......#~......\...#Strings....P.......#GUID...`.......#Blob......................3......................................'.........C.............................g.{...%.{.....d.....{...|.{.....{.....{.....{...c.{.....{.............................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlDocument.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16136
                                                                                                                                                                                                Entropy (8bit):6.763250939574308
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:DYlxlKxAdKXZ14WAsnPUWvTbpWjA6Kr4PFHnhWgN7agW6kxwVIX01k9z3A7OMsNo:ITQocZiWrsWvTbYA6VFHRN7UR9zEOMio
                                                                                                                                                                                                MD5:B8C780077D3BE36CC8F8A85C5B056393
                                                                                                                                                                                                SHA1:E269FE3AE47536E5583749987D15867680091BEC
                                                                                                                                                                                                SHA-256:6CA75DE642BFB7D7E4654161EE0A7FFAAC4775406073D5BD6588D8FBA9CE937F
                                                                                                                                                                                                SHA-512:6565880E5E6CCAD9FE6A2B3787FBE92F51306BB13D6A91389C4616D58B1EE2B8CFAF89CB748836C6BD8F0B09D8208BFF4CAB6D7B01A9A805E46E573647AC0159
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............+... ...@....... ..............................Uc....`.................................A+..O....@...................)...`......T*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................u+......H.......P .......................)......................................BSJB............v4.0.30319......l.......#~..8.......#Strings............#US.........#GUID...........#Blob......................3................................................P.................<...........g.~...2.~.....1.....~.....~.....~.....~.....~...p.~.....~.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):18192
                                                                                                                                                                                                Entropy (8bit):6.625640713703575
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:bvu3anBNTYxDHn+WBvWvdpWjA6Kr4PFHnhWgN7agWv6KDUX01k9z3AWipVl:Lu3af2L+WBvWvdYA6VFHRN7m6pR9zvwl
                                                                                                                                                                                                MD5:BB348D3A59DB204B4F6357758D950D7B
                                                                                                                                                                                                SHA1:401FE3743A40BD85F06C5074454080E7F6895540
                                                                                                                                                                                                SHA-256:EF29DFAAEBC33486376625E22BDBC96597785E99859A96E7DFDDAD0211AB6643
                                                                                                                                                                                                SHA-512:ED8611B8EA3F164DAD3FD6A98337AA9076AC6EE9D00606C59DFB5AF19E7EC799E35FF580A1BF8FB74E23376D8780B068E030753BD6B56CFE17F438DCB6BD43AA
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K..........."!..0.............N3... ........@.. ...............................&....`..................................2..V....@...................)...`.......2..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................03......H........ ..0...................P ......................................I.(b...R.c.l....i.$%'...3.q.*...\..N..J..y..Bc.K.....r........8...D...A...%.y.Nq.....rym..Q$...G.C.W..Kx...\..&.T....p.9BSJB............v4.0.30319......`.......#~.. ...p...#Strings............#GUID...........#Blob......................3................................J.................................+.....F.....H.....N...............................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):23712
                                                                                                                                                                                                Entropy (8bit):6.267200741035943
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:c58Ieq5ufyw8bcB8yGn70WzjsWvyYA6VFHRN7x6R9zdS:c58IeWv39yFClx29zA
                                                                                                                                                                                                MD5:4512B147B8F78C18047A105F2BB1A429
                                                                                                                                                                                                SHA1:C0BCB9C44F2DED879855E86FBC1CA9F755DEE78D
                                                                                                                                                                                                SHA-256:4A23D5325BA071AB2AE359F524062C6CAE2454A75DDAAB206022CE877E3AA13B
                                                                                                                                                                                                SHA-512:72ADAB86F3457653380BBA8775D4477A5DA20AB08BF55897EB6F53CF27D2CABBBDCA259DCE23E0080C3CA9DE6C8A29BF00689D6B9B58A317616E1A73BB8D9CB6
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Q..........." ..0..*...........I... ...`....... ...............................y....`..................................H..O....`..4............4...(...........H..T............................................ ............... ..H............text...4)... ...*.................. ..`.rsrc...4....`.......,..............@..@.reloc...............2..............@..B.................I......H.......P ..4'...................G......................................BSJB............v4.0.30319......l...x...#~......X...#Strings....<%......#US.@%......#GUID...P%......#Blob......................3..................................................................S.....:.y...<.....O...................................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):50336
                                                                                                                                                                                                Entropy (8bit):5.748159627893803
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:+RlKhT46UA2Zi5wRNH5JVb0U502zq1TntuaaNFCl+69zsc:Ku6Zi5i5jzCkaaiRzsc
                                                                                                                                                                                                MD5:C251E9C5E68F8234ECEE5A332FA890EB
                                                                                                                                                                                                SHA1:D0FB802214E6641387B55270089300ADF52C9A48
                                                                                                                                                                                                SHA-256:36E9F61DA6BF4B6AEF5073DD639BB6174397A53573E3B0EE754AC5A997268070
                                                                                                                                                                                                SHA-512:289805F4BA063A5BE984810F7504E85B3F33659492EB3509CFEB314C7AE4D8EE8E207DBCA4F354D17F3D2A359E5B83D881F6E6A3380FA9C49701FEA7AA4B0352
                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.dll, Author: Joe Security
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b............." ..0................. ........... ...............................w....`.....................................O........................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......P .....................4.......................................BSJB............v4.0.30319......l....:..#~..d;..dR..#Strings...........#US........#GUID..........#Blob......................3............................-......................=..\..=.....=...=............; ..2.; ..T.M.....m=....m=....; ..9.; ....; ....; ....; .. .; ..P.; ................};....};....};..).};..1.};..9.};..A.};..Q.}; .Y.};..a.};..i.};..q.};..y.};....};....};......[.....d.........#.....+.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\WindowsBase.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):16560
                                                                                                                                                                                                Entropy (8bit):6.703787228961883
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:UasFWQ+KWccWvDX6HRN7OnCLc49R9zri2:/C+AtLWM69zb
                                                                                                                                                                                                MD5:6D92C394A7172E6DE9DD86E5FD224117
                                                                                                                                                                                                SHA1:C8513747FE4289C84EFA1331EED0C4BE7D331C42
                                                                                                                                                                                                SHA-256:334F1AB36BAD2C8ED2A4A387005ECCC4C75382AE097E8AB0C737A18097252DB7
                                                                                                                                                                                                SHA-512:43B48EC3A1DAB55DACC4FEA3207123BE39A58392B9F456630D9DF0DC72318B53CB939E3EEAC1E810A1A6EBA13F8B4DED17B00E71F62EA99599084D82F6EFDF9A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:..........." ..0..............-... ...@....... ....................................`.................................O-..O....@..4................(...`......x,..T............................................ ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l...p...#~......8...#Strings............#US.........#GUID...(.......#Blob......................3................................................................................r.....r...Q.(...g.r...6.r.....r.../.r...L.r.....r.....r..... ...........u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u...y.u.......................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clretwrc.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):311056
                                                                                                                                                                                                Entropy (8bit):4.240184363331846
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:SE9XK6chFa5y9sh33X+QIa7rGgtfqYZdLqt:xq0FfqYZdLk
                                                                                                                                                                                                MD5:433E16EF5493F3056333B527F1E2DD60
                                                                                                                                                                                                SHA1:FE62C578F0186E2184EC45F2DAD74BB541949B07
                                                                                                                                                                                                SHA-256:C78605F3D54C17048715442A67E02C104EDF16BA63845E76E5C58EA39F3EAB5D
                                                                                                                                                                                                SHA-512:1D6D372A802A99383BDBA8788E96417D60CA19F072CB471BF36622190F44A34260C3F0F823C378091474FBA3082EB062D9560AE30A62966AB2B4925B51111262
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%%=.aDS.aDS.aDS.q...`DS.q.Q.`DS.RichaDS.PE..d......f.........." ...(.............................................................R....`.......................................................... ...................)..............T............................................................................rdata..X...........................@..@.rsrc........ ......................@..@.......f........l...l...l..........f...........................f........l...................................RSDS.".7(.BH...w".......D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\clretwrc\clretwrc.pdb.............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... .......rsrc$01.....!......rsrc$02....................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrgc.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):668448
                                                                                                                                                                                                Entropy (8bit):6.597025509314607
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:6lUe0bQZSn84GFMN5mSVv8pg8OWFODaunfRSzPg9HRfAWbsxLTjjTVSAAbijTwxt:6ZZo8JaN5z+dufRS6xrgSAXTCWon
                                                                                                                                                                                                MD5:C72941B29791828AFBF0D431CC7FBA35
                                                                                                                                                                                                SHA1:B6DA4DFA2DFC390069FE838D3841DCCF6D48ABAA
                                                                                                                                                                                                SHA-256:CCF2823C73204A39DC0A1DE9E9B948B87BB9243F710AB53A6E0DF4C159BEF7D4
                                                                                                                                                                                                SHA-512:992183DEA27FDA359E475D937063C8679F47C53872180DF8AAA667C2F220ED6A5D09E87B30C0FB6CBCBA2F52B395A7FBFB230C9DF10036E5DD6CD3800AFE8CCB
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........O...!]..!]..!].]..!].. \..!].. ]..!]9w"\..!]9w%\..!]9w$\..!].p(\..!].p!\..!].p.]..!].p#\..!]Rich..!]........PE..d......f.........." ...(............@.....................................................`A........................................p...d......................\F...... )...........+..p............................*..@............................................text............................... ..`.rdata..............................@..@.data...............................@....pdata..\F.......H..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrjit.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1785096
                                                                                                                                                                                                Entropy (8bit):6.549282182275219
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:49152:u/m1kU6fimCAYAOwJlfRyraVXxwHkye4asWnwZMN8f:uKAYzolImViHTe4avuf
                                                                                                                                                                                                MD5:00949AA1FCE3C881929ADB781077D8C0
                                                                                                                                                                                                SHA1:FF75673FD2492EC8D09458E2000CCE68565EFF26
                                                                                                                                                                                                SHA-256:91A91D35EB8D85293DFF960E8431963114AEFB9B62B0C261C0012ED040A2FE44
                                                                                                                                                                                                SHA-512:3FCE596DC69C4335EC5403171F5A044DC7E5E3DE8BFFE56777444E33DBED91D3647E74EDA936C2CE0117F5B9D5C2D28A522C26F8E54B4B1BE2E1ADBB4F1159CB
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O....z..z..z.V...z..V{..z..{...z.a.y..z.a.~..z.a....z.t...z.z..z....z.x..z.Rich..z.........PE..d......f.........." ...(.4..........`C.......................................p............`A........................................p................@.......P..h........)...P.......@..p.......................(....?..@............P..p............................text....3.......4.................. ..`.rdata.......P.......8..............@..@.data....h.......@..................@....pdata..h....P......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\coreclr.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):5044488
                                                                                                                                                                                                Entropy (8bit):6.559243918969336
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:49152:SFznQSUNeMW/3Pz42WuxpWNbIotHsErN3ocWErFMzHRGNTJc5fnzn7M4Fdpi9Zdo:dexpWNbIotUcsA9FbNF0DcxQ
                                                                                                                                                                                                MD5:059FC7A9CEAD83069D5147DD4DD75AE5
                                                                                                                                                                                                SHA1:EF7754EE10708C753E6A64C5F3B122CEF94A6166
                                                                                                                                                                                                SHA-256:DB1D6DEB3B4A74769DB761EEDF669142AB2D759EBA324672DE2649EF3D88E7F0
                                                                                                                                                                                                SHA-512:1656BD914B308F1FFBCCED00A53C96AB4BCFD411CA6AA0E98FD8F4768A2F94A4096D6858E4AA0E6A1DBF068F1D1A1E2D3D560592AFB09DA1EBBB27B8F9E7F903
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........N... .. .. .... ...$.. ...!.. ..!... .T.#.. .T.$.. .T.%.. ..#.. ....]. .. .. ..... ..... ..".. .Rich.. .........PE..d......f.........." ...(..;..N................................................N.......M...`A.........................................$H.|...<&H.,.....N.......I.......L..)... N.p_..p.=.p.....................>.(...`.<.@.............;.....|"H.`....................text...B.;.......;................. ..`.CLR_UEF\.....;.......;............. ..`.rdata...[....;..\....;.............@..@.data........PH..:...*H.............@....pdata........I......dH.............@..@.didat..8.....L......0K.............@...Section.......L......2K.............@..._RDATA...2....L..4...4K.............@..@.rsrc.........N......hL.............@..@.reloc..p_... N..`...pL.............@..B........................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\createdump.exe

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):61752
                                                                                                                                                                                                Entropy (8bit):6.3493073551414625
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:+hwLsWpGD774wTlENE9Kb8lS8BE3EqG01Ekks3uN2wP2QpTLFClk9z/:+hwLsWpG4Ntb8l4mD28liMz/
                                                                                                                                                                                                MD5:03EC12EEAF45EF8E1747862CE905F51A
                                                                                                                                                                                                SHA1:E4A47D35C7689C884B9F0AA491D8F824DA0DD469
                                                                                                                                                                                                SHA-256:4B82AFBE3419EDA1B9C9742F55CA2A2692CDF9C5C23B61068313494B3164925B
                                                                                                                                                                                                SHA-512:4A86B4BE9D521AC4F7D93E1E5F826D8D560750D97240BCA83D4982E8718186CF0BF23F61EB059C77B95C9B7719F64F00D6AE318798B7C0D76A2BF1F8E14D9263
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................e.......e.......e................................t.....................Rich....................PE..d......f.........."....(.r...Z......@/.........@....................................wD....`.............................................................................8)......t......T...............................@............................................text....p.......r.................. ..`.rdata...=.......>...v..............@..@.data...`...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..t...........................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\hostpolicy.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):393488
                                                                                                                                                                                                Entropy (8bit):6.332083868536635
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:8LsyeU2urknHxoHs+n1wg1xhDrLj5OAS0+QB02u7FksfEX7RPzfUz:ysyN2urknCHsAwgtrsA6Qu2v7dcz
                                                                                                                                                                                                MD5:4DF8367F195394E23720173C751CF159
                                                                                                                                                                                                SHA1:E215CF52164D4180605D5C16F873691649F4C32E
                                                                                                                                                                                                SHA-256:29BCB525992E2BF1DC2C66918450ADE3B36E88226B1CEAB18A8C110A0E0DA0DC
                                                                                                                                                                                                SHA-512:FD5DB356CB08578B731C62AFE3A98D57FDE6889ED1664038F01FBEF00FE06C83BC93365CFE94B8D23906990BFF5DA437A97C684C69CB61812E46C627C55CDD34
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...?..?..?.Qb<..?.Qb;..?.Qb:...?....?..>..?..>.Q.?.e6..?.e?..?.e...?.e=..?.Rich..?.........PE..d......f.........." ...(.8..........P........................................ ............`A............................................ ...0...........x........2.......)..............p.......................(.......@............P...............................text...\7.......8.................. ..`.rdata..(N...P...P...<..............@..@.data...............................@....pdata...2.......4..................@..@.rsrc...x...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1338400
                                                                                                                                                                                                Entropy (8bit):6.358098724993395
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:cABsjnIunobZ5eGiBSk7uf9xg9Y/ydKEPXoRyingNLi0/rqsaoGSZNrWVgi00szd:cjIuG4Sk7ug9Y/ytNe4rqsa0njGzQD
                                                                                                                                                                                                MD5:05D4804E5EA5509E19A3388B46A363E2
                                                                                                                                                                                                SHA1:31EA1248542D2914FC76179E5731126DFCCDBFA0
                                                                                                                                                                                                SHA-256:61350E7EE96E614900D641B4ECC3F35271AA2BA72C0455AE0D021E20C95F9A3E
                                                                                                                                                                                                SHA-512:6DBD79B065E8C0D3B042DA7615ABC0EF7DC7522E86AEB3DF9707080AFE113077A894F5CB963D2B0A179B5755296011798B24F7102AE9A5274CCD5C0FF9959EDA
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=I.nI.nI.n@.-nC.n.l.oC.n.l.oF.n.l.oc.n...oM.n...oB.nI.n..nYk.o..nYk.oH.nYkAnH.nYk.oH.nRichI.n........PE..d.....f.........." ...(.b..........................................................R.....`A.........................................g..p...Pi.......`..........<....F.. &...p..........p.......................(...@...@............................................text...`a.......b.................. ..`.rdata...............f..............@..@.data................^..............@....pdata..<............l..............@..@.rsrc........`.......$..............@..@.reloc.......p.......*..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore_amd64_amd64_8.0.824.36612.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1338400
                                                                                                                                                                                                Entropy (8bit):6.358098724993395
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:cABsjnIunobZ5eGiBSk7uf9xg9Y/ydKEPXoRyingNLi0/rqsaoGSZNrWVgi00szd:cjIuG4Sk7ug9Y/ytNe4rqsa0njGzQD
                                                                                                                                                                                                MD5:05D4804E5EA5509E19A3388B46A363E2
                                                                                                                                                                                                SHA1:31EA1248542D2914FC76179E5731126DFCCDBFA0
                                                                                                                                                                                                SHA-256:61350E7EE96E614900D641B4ECC3F35271AA2BA72C0455AE0D021E20C95F9A3E
                                                                                                                                                                                                SHA-512:6DBD79B065E8C0D3B042DA7615ABC0EF7DC7522E86AEB3DF9707080AFE113077A894F5CB963D2B0A179B5755296011798B24F7102AE9A5274CCD5C0FF9959EDA
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=I.nI.nI.n@.-nC.n.l.oC.n.l.oF.n.l.oc.n...oM.n...oB.nI.n..nYk.o..nYk.oH.nYkAnH.nYk.oH.nRichI.n........PE..d.....f.........." ...(.b..........................................................R.....`A.........................................g..p...Pi.......`..........<....F.. &...p..........p.......................(...@...@............................................text...`a.......b.................. ..`.rdata...............f..............@..@.data................^..............@....pdata..<............l..............@..@.rsrc........`.......$..............@..@.reloc.......p.......*..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordbi.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1241520
                                                                                                                                                                                                Entropy (8bit):6.349941690072582
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:YyL6o2u8NwfPWN0uenPtMDQUxbDjDDF2FZNd0W+/y9RtI/2gTZWQ9s16y6p54yqX:YyL6oXnU0uePtM/DjDDFA7dFiugTypf
                                                                                                                                                                                                MD5:18C328AE6740B28D3BCB238BDA17AEB9
                                                                                                                                                                                                SHA1:AB73DDA2F6EB35B743C56BABD2E3F5CADEBDB938
                                                                                                                                                                                                SHA-256:1676DF96BF8D0DA277F1ADC2102E7FC711240982D61C31610F83474F093092F4
                                                                                                                                                                                                SHA-512:CC5821C2E80F11BE3B010AD11943B53555C8537DD2975F900556B45A2FBA3C600D64707BFA72828EB320CEE74E48EF90FD726F76C5011361085824085017E024
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\........................*.......*.......*..<...S......S..............-.......-..h....-.......-i......-......Rich............PE..d.....f.........." ...(............0O...............................................Z....`A........................................P...`....................@...........%......p...@:..p....................<..(....9..@............ ...............................text............................... ..`.rdata..(.... ......................@..@.data........ ......................@....pdata.......@......................@..@.rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorlib.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):59552
                                                                                                                                                                                                Entropy (8bit):5.643119448166663
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:lt51EDMpCUoqFY66Gw17oqZn/TEHmyrchswz6EEZcYf5o4ba2yGlG1QeY48lCi5m:ltFcC3ZcYf5o4bZyGc1A4c53iPmVz8n
                                                                                                                                                                                                MD5:67972D6AF44F5E08E9F3EACC31D302AC
                                                                                                                                                                                                SHA1:976D10328572171E8122FA1AA765E92AB54CEC45
                                                                                                                                                                                                SHA-256:217BC7C04BE852B4FCF8104F8BA8F673F1B177D2D8C5CAF455E7A18E6BBE2097
                                                                                                                                                                                                SHA-512:BE2B63E849A046A0D786EB25958F423A088BDE3431800FA4CB6667D5FA4147D1FD363AD2D7E3E4FE9EB8BCF03A0DCCBE5A23FA4252AA228D8EA1A380597AEC57
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ............`.................................q...O.......$................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B........................H.......P ..................... .......................................BSJB............v4.0.30319......l...$O..#~...O..(b..#Strings............#US.........#GUID..........#Blob......................3................................e.....b/........L%.O...).O....RO..EP.......+..:.:4..J$:4...&S0...+.O...%.O...(:4...&:4...":4....:4....:4..U&:4....:4.................N.....N.....N..)..N..1..N..9..N..A..N..Q..N .Y..N..a..N..i..N..q..N..y..N.....N.....N......R.....[.....z...#.....+.

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorrc.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):136984
                                                                                                                                                                                                Entropy (8bit):3.9056973889632753
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:HIH591YWvh7xR+l5dZU49N9SqignwJ5cvBMgSIctpoECyIWLzH:HIHhal5dZU4dSqHns2SpSkIAT
                                                                                                                                                                                                MD5:136282A8FF7A4730B2F719AFA5DADF90
                                                                                                                                                                                                SHA1:A86A5911C6BE4CE1E9535FC3F993677050EA5F15
                                                                                                                                                                                                SHA-256:95EED17CA001846333831DA4DB370FB838AE114CCE512DB31380E8B45C464024
                                                                                                                                                                                                SHA-512:3061C63242A95554A9855652D750FA3609860637EBB020A94CF3656761C182F0A1E15CFC87C6276BEF34FF75CDCB3FEDDA1E3B74D33A4E1B27628A36FA4302BB
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%%=.aDS.aDS.aDS.q...`DS.q.Q.`DS.RichaDS.PE..d......f.........." ...(..................................................................`.......................................................... ...................)..............T............................................................................rdata..X...........................@..@.rsrc........ ......................@..@.......f........j...l...l..........f...........................f........l...................................RSDS.. 2v.ZA.].`S6Sc....D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb...............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... ..P....rsrc$01....P:.......rsrc$02....................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\msquic.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):538136
                                                                                                                                                                                                Entropy (8bit):6.299714405457925
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:q5YDDKStgzRK093ertSfiOMVAXUYYJJOb:qmDxSP6OaLYYJC
                                                                                                                                                                                                MD5:027854570A4412624BECEE78A10395C1
                                                                                                                                                                                                SHA1:6B0E6BC0CD97F2CAC1B962BE868FC7CB621D77F8
                                                                                                                                                                                                SHA-256:2D67E87859ECAEB15C4DD621B0983F1A9AD3E2AA9B11624C018A43E6D6B06BEC
                                                                                                                                                                                                SHA-512:8593D309434C7954AA42E5BD63F76A5BAE783C8F2130798EA285032C71F890C4C1783614597EE2BA3DA3294A68CE636EA2A9DCB21A858A840C8D8F6316928D65
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:..:..:..:..;..<U..%..<U..1..<U..*..3......q...?..:.....q...8..TU.....TU..;..TUj.;..:...8..TU..;..Rich:..................PE..d......e.........." ...&.@...................................................p......7.....`A.........................................|..h....|..h........@.......:.......(...`......0...T..............................@............P..h............................text...q>.......@.................. ..`.rdata...C...P...D...D..............@..@.data...............................@....pdata...:.......<..................@..@_RDATA..............................@..@.rsrc....@.......B..................@..@.reloc.......`......................@..B........................................................................................................................................................................................

                                                                                                                                                                                                C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\netstandard.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):101024
                                                                                                                                                                                                Entropy (8bit):5.497003708267034
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:kYsYXj0p2NYq5V4bgDHsPdIpuSE5L3Ukcz9wFgi+CzN7f:xMkYe4bgDUAxCFglC5j
                                                                                                                                                                                                MD5:9332AA569690A1135EC72AA1EA9D1EDE
                                                                                                                                                                                                SHA1:3662B089DF497BE01400C6B609D87D12162AC7D2
                                                                                                                                                                                                SHA-256:E7BF779CB608124A7812160CE3D8BBE83C1E49C46A81EE0C2DC91447F191D1BB
                                                                                                                                                                                                SHA-512:5B4A11F3A9B66406489CDDEA7BBF338A9F7F7EC834CEAA5EDD8EB8194F6A58667880EFDEDD4FB870E5E20EB78C43BB51733369F897C3E9B9A3C370DD15120FBB
                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...jQ............" ..0..X...........v... ........... ..............................;.....`.................................?v..O.......4............b...(..........hu..T............................................ ............... ..H............text....V... ...X.................. ..`.rsrc...4............Z..............@..@.reloc...............`..............@..B................sv......H.......P ...T...................t......................................BSJB............v4.0.30319......l...`...#~..... ...#Strings.....Q......#US..Q......#GUID....R......#Blob......................3............................P...,......H.........5....:....'...m......,.@..5#.T..P4.T...7.J...B....i5....u:.T..n7.T..&1.T.....T.../.T..(7.T...(.T.............................)....1....9....A....Q.. .Y....a....i....q....y..........................................

                                                                                                                                                                                                C:\Program Files\dotnet\swidtag\Microsoft .NET Runtime - 8.0.8 (x64).swidtag

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):477
                                                                                                                                                                                                Entropy (8bit):5.423763623341714
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12:MMHdXxahhVA6+30gdVLiR4yzW+BFpBxBQEpjMVn9:JdXxahhVA6+33LiR4yW+DpBxWWK
                                                                                                                                                                                                MD5:3D2CEB0DF0D485A053E5C5DAFB4DA233
                                                                                                                                                                                                SHA1:08C8B09511AD158630A5CAC928C5D769576BFEEC
                                                                                                                                                                                                SHA-256:A7E932979E84C384995D50E3539C08F58EA04187C48087D2B51044D52C131138
                                                                                                                                                                                                SHA-512:2C653DE4DBE49ECB9F2D9C5956E02E6A3464262854A0A59860A7BDE25EA78AC5CC36801C8EDD39C15280F5EE2EDD3F00910A6548FDE54DB197EF548E42726BC3
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>.<SoftwareIdentity tagId="wix:bundle/D42CEA76-6B02-403C-8FA9-B35C717DB802" name="Microsoft .NET Runtime - 8.0.8 (x64)" version="8.0.8.33916" versionScheme="multipartnumeric" xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd">. <Entity name="Microsoft Corporation" regid="microsoft.com" role="softwareCreator tagCreator" />. <Meta persistentId="wix:bundle.upgrade/8DA0C13F-57EB-417F-0238-B9ADB29DA0A2" />.</SoftwareIdentity>

                                                                                                                                                                                                C:\ProgramData\Package Cache\.unverified\dotnet_host_8.0.8_win_x64.msi (copy)

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host - 8.0.8 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host - 8.0.8 (x64)., Template: x64;1033, Revision Number: {364B6B15-82BE-426F-A13C-DD7A2B6B2EA4}, Create Time/Date: Tue Jul 16 22:41:10 2024, Last Saved Time/Date: Tue Jul 16 22:41:10 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):798720
                                                                                                                                                                                                Entropy (8bit):6.549856617597805
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:uVOm7qU8VKIvZUlkj/cBhZeK4lu/XdmYw+:uMm7HWvZgkjcDefMFmA
                                                                                                                                                                                                MD5:D7A4563316F82FAC2C537B5A040F5039
                                                                                                                                                                                                SHA1:6A25647F3296F4A328A2EDB1A82BD2FAA1D3FCE8
                                                                                                                                                                                                SHA-256:BA926ABCF18FEBAF15395A58328B92AC8C4EB2B335060B46A560280C8C1B6DA0
                                                                                                                                                                                                SHA-512:32160AFCF8F7A066AEDD4FC3449E1B8C6F104861FC9606E99E7AF9593AFA726895B04AA05F609E3CE8EEDD4464EF5C25436932B1E97E14FF59574D70F4B1CECF
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\ProgramData\Package Cache\.unverified\dotnet_hostfxr_8.0.8_win_x64.msi (copy)

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host FX Resolver - 8.0.8 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host FX Resolver - 8.0.8 (x64)., Template: x64;1033, Revision Number: {BB639B51-1725-47F5-9229-90393A63E483}, Create Time/Date: Tue Jul 16 22:42:00 2024, Last Saved Time/Date: Tue Jul 16 22:42:00 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):868352
                                                                                                                                                                                                Entropy (8bit):6.7406278086618885
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:0tR4NlbhqU8VKIvZUlkj/cBhZeK4lu/XdmYwA:o6NldHWvZgkjcDefMFmq
                                                                                                                                                                                                MD5:53076072D81680ECBA82EA7648B204F0
                                                                                                                                                                                                SHA1:7A6DFC6EEF94A13D9F032040858EB2D5AA1D34F3
                                                                                                                                                                                                SHA-256:D63FB20F6B8D13D75B3E633DF7FB127721CAF5536963D66659FF29A5D3659F8C
                                                                                                                                                                                                SHA-512:0A8B019221CCFA4DEEF0D07245EFA0F578B9CCD24E24AEF87F5D9F56FC38067AB55A767179441978FAD340E8EC5B60EAC2C3F282247FBDCDD03980373D31513D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\ProgramData\Package Cache\.unverified\dotnet_runtime_8.0.8_win_x64.msi (copy)

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 8.0.8 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 8.0.8 (x64)., Template: x64;1033, Revision Number: {6AF517CA-B141-429F-9C4F-3B284175B717}, Create Time/Date: Tue Jul 16 22:42:12 2024, Last Saved Time/Date: Tue Jul 16 22:42:12 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):27648000
                                                                                                                                                                                                Entropy (8bit):7.99421368126692
                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                SSDEEP:393216:ng9KX0wCCa0yBBY2aUHkFkY3CHGaUKfi7KIyJ8+HLU4jm0z89CAuWoNzMHPdXpey:nUJ0yBnlk73csb7r+HLU4jHtYNdXbFF
                                                                                                                                                                                                MD5:F9D8FE368CBFA5731BEFC3698E9B109D
                                                                                                                                                                                                SHA1:AA5E1A3E6B3CEB6777376AF84C13E27690BE0CAC
                                                                                                                                                                                                SHA-256:38417C07721A97631B0B7780C0EB6544F08B3F611BDB95CEBCE1407F96E726A2
                                                                                                                                                                                                SHA-512:AF1E521A863CD56B3471F4EDC2C15E7F4332D5C6B7274EDF21DF2C79CE0AE0E3A21D6F37B32F2B61ED121078994333A749CFDE5663F4C25D4DA2F4B6FA4F7C0B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\ProgramData\Package Cache\{3BA242F8-BDB5-4096-9FBC-333CD663BBAD}v64.32.18380\dotnet-host-8.0.8-win-x64.msi (copy)

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host - 8.0.8 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host - 8.0.8 (x64)., Template: x64;1033, Revision Number: {364B6B15-82BE-426F-A13C-DD7A2B6B2EA4}, Create Time/Date: Tue Jul 16 22:41:10 2024, Last Saved Time/Date: Tue Jul 16 22:41:10 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):798720
                                                                                                                                                                                                Entropy (8bit):6.549856617597805
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:uVOm7qU8VKIvZUlkj/cBhZeK4lu/XdmYw+:uMm7HWvZgkjcDefMFmA
                                                                                                                                                                                                MD5:D7A4563316F82FAC2C537B5A040F5039
                                                                                                                                                                                                SHA1:6A25647F3296F4A328A2EDB1A82BD2FAA1D3FCE8
                                                                                                                                                                                                SHA-256:BA926ABCF18FEBAF15395A58328B92AC8C4EB2B335060B46A560280C8C1B6DA0
                                                                                                                                                                                                SHA-512:32160AFCF8F7A066AEDD4FC3449E1B8C6F104861FC9606E99E7AF9593AFA726895B04AA05F609E3CE8EEDD4464EF5C25436932B1E97E14FF59574D70F4B1CECF
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\ProgramData\Package Cache\{7FE24458-0796-4428-99C2-9A0F8DAB93CC}v64.32.18380\dotnet-hostfxr-8.0.8-win-x64.msi (copy)

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host FX Resolver - 8.0.8 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host FX Resolver - 8.0.8 (x64)., Template: x64;1033, Revision Number: {BB639B51-1725-47F5-9229-90393A63E483}, Create Time/Date: Tue Jul 16 22:42:00 2024, Last Saved Time/Date: Tue Jul 16 22:42:00 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):868352
                                                                                                                                                                                                Entropy (8bit):6.7406278086618885
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:0tR4NlbhqU8VKIvZUlkj/cBhZeK4lu/XdmYwA:o6NldHWvZgkjcDefMFmq
                                                                                                                                                                                                MD5:53076072D81680ECBA82EA7648B204F0
                                                                                                                                                                                                SHA1:7A6DFC6EEF94A13D9F032040858EB2D5AA1D34F3
                                                                                                                                                                                                SHA-256:D63FB20F6B8D13D75B3E633DF7FB127721CAF5536963D66659FF29A5D3659F8C
                                                                                                                                                                                                SHA-512:0A8B019221CCFA4DEEF0D07245EFA0F578B9CCD24E24AEF87F5D9F56FC38067AB55A767179441978FAD340E8EC5B60EAC2C3F282247FBDCDD03980373D31513D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\ProgramData\Package Cache\{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA}v64.32.18380\dotnet-runtime-8.0.8-win-x64.msi (copy)

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 8.0.8 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 8.0.8 (x64)., Template: x64;1033, Revision Number: {6AF517CA-B141-429F-9C4F-3B284175B717}, Create Time/Date: Tue Jul 16 22:42:12 2024, Last Saved Time/Date: Tue Jul 16 22:42:12 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):27648000
                                                                                                                                                                                                Entropy (8bit):7.99421368126692
                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                SSDEEP:393216:ng9KX0wCCa0yBBY2aUHkFkY3CHGaUKfi7KIyJ8+HLU4jm0z89CAuWoNzMHPdXpey:nUJ0yBnlk73csb7r+HLU4jHtYNdXbFF
                                                                                                                                                                                                MD5:F9D8FE368CBFA5731BEFC3698E9B109D
                                                                                                                                                                                                SHA1:AA5E1A3E6B3CEB6777376AF84C13E27690BE0CAC
                                                                                                                                                                                                SHA-256:38417C07721A97631B0B7780C0EB6544F08B3F611BDB95CEBCE1407F96E726A2
                                                                                                                                                                                                SHA-512:AF1E521A863CD56B3471F4EDC2C15E7F4332D5C6B7274EDF21DF2C79CE0AE0E3A21D6F37B32F2B61ED121078994333A749CFDE5663F4C25D4DA2F4B6FA4F7C0B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):650576
                                                                                                                                                                                                Entropy (8bit):7.1821161714009305
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:v3mgqnIZuYfCYqFet4CovkM7XtZnEdckfNH2t2hQxP5:v3WnIZuMCxezot7dF/95
                                                                                                                                                                                                MD5:C0CBF8F15105720847041131C8C45598
                                                                                                                                                                                                SHA1:8BF4AD72E787F557114347654EE9164892A09EC3
                                                                                                                                                                                                SHA-256:25F18502EF7C8FD93D93799C6ACB20AF1622FD89084151BB19FF44182AC4C817
                                                                                                                                                                                                SHA-512:EA97D69E05F6828A3D31A0161A43A135C76AB99674EB16938B8A3746ABAD4207854CE4B6D9AE9376D64320BE6C6D71E90FB0724937106AE7044AFD667F0929F5
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<..........................PE..L......e..........................................@......................................@.............................................:..............@)...P...>.....T...................4........F..@...................T........................text...>........................... ..`.rdata..&...........................@..@.data...<...........................@....wixburn8...........................@..@.rsrc....:.......<..................@..@.reloc...>...P...@..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\state.rsm

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):866
                                                                                                                                                                                                Entropy (8bit):2.483321938867646
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12:IZK34pgMClGttDK+xU9GtGZttun2QUMsMJcRNDun2QaMsMJW:6KUgMClceKG1UUpU
                                                                                                                                                                                                MD5:D71EC16C7EBE51DCCFB65486C56820C2
                                                                                                                                                                                                SHA1:BB1485ADE1FCC9CD9207AC5E0CAA3EC0766B4C71
                                                                                                                                                                                                SHA-256:18D2BAE925CCC7015D49C6D9AFC45EDE026819BD6D475604704286A7A270116A
                                                                                                                                                                                                SHA-512:37AE87CA1615F359C26747299355EBE8B26977C314B4D42AAA6EEC20D57876A880159ECC10B61C1D5D545B51ED50DB649C37EADE87A5BD8F4C3D401E1589EDA1
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:K...............................................................................................................................................................................................................................................................W.i.x.B.u.n.d.l.e.F.o.r.c.e.d.R.e.s.t.a.r.t.P.a.c.k.a.g.e.....................W.i.x.B.u.n.d.l.e.L.a.s.t.U.s.e.d.S.o.u.r.c.e.....................W.i.x.B.u.n.d.l.e.N.a.m.e.....$...M.i.c.r.o.s.o.f.t. ...N.E.T. .R.u.n.t.i.m.e. .-. .8...0...8. .(.x.6.4.).............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.....>...C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.8...0...8.-.w.i.n.-.x.6.4...e.x.e.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.F.o.l.d.e.r.........C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.................................

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):64
                                                                                                                                                                                                Entropy (8bit):1.1940658735648508
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:Nlllultnxj:NllU
                                                                                                                                                                                                MD5:F93358E626551B46E6ED5A0A9D29BD51
                                                                                                                                                                                                SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                                                                                                                                                                                SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                                                                                                                                                                                SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:@...e................................................@..........

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp\4C82.bat

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Users\user\Desktop\EtEskr.exe
                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):87
                                                                                                                                                                                                Entropy (8bit):4.50950986684377
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:NNgr+jJw05MIAIJhJwg6fJiTEQLN:Nu+1bS9Ivihxw/LN
                                                                                                                                                                                                MD5:B31BADDCD6AC7C90D26E182949F5D3D8
                                                                                                                                                                                                SHA1:02521FD1076102E8C16086049A274D1D4AD4E188
                                                                                                                                                                                                SHA-256:B2359A560EE7D63A33437C22236D6EF503AB5CF6ECDD766BB2632329320B0B0B
                                                                                                                                                                                                SHA-512:DCB6E75EB92096D54C2476BFBCC15D37F027FA28B2FB47DA1993269D26EE56F654F3436F984FD20F617CD3B36066B0EB8B4DB609EBF24B17FCB5FD5C2FC724C4
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:@shift /0..start /wait dotnet-runtime-8.0.8-win-x64.exe /q..start /wait EtEskrivare.exe

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550.log

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:ASCII text, with very long lines (342), with CRLF line terminators
                                                                                                                                                                                                Category:modified
                                                                                                                                                                                                Size (bytes):13775
                                                                                                                                                                                                Entropy (8bit):5.551245968412134
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:384:E+ji+ySyzdwKBcOxmK14EnwOJWi58lN2yNP2DcKIad+P7ky7:E9xty5Jp7
                                                                                                                                                                                                MD5:93085A1C49354C2B5DE4CBA40AF76C0E
                                                                                                                                                                                                SHA1:3A0A44B062731460420E931BB50A0A4AFC2D87AF
                                                                                                                                                                                                SHA-256:FC41EEB785A05DA4032EAB2C93F30E1CB67C6E656558CC8B3BBE588749DF36B5
                                                                                                                                                                                                SHA-512:75DAB27794D5A4DE1387CE73E3AF97F19A9B4220E3148DF57B450385D880D5F11D9E955A157DCD354DD7131C5C069400625A42BFE39F95E82D81AA706E445088
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:[1BA4:1890][2024-10-03T09:25:50]i001: Burn v3.14.1.8722, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe..[1BA4:1890][2024-10-03T09:25:50]i000: Initializing string variable 'BUNDLEMONIKER' to value 'Microsoft .NET Runtime - 8.0.8 (x64)'..[1BA4:1890][2024-10-03T09:25:50]i000: Initializing string variable 'PRODUCT_NAME' to value 'Microsoft .NET Runtime - 8.0.8 (x64)'..[1BA4:1890][2024-10-03T09:25:50]i000: Initializing string variable 'LINK_PREREQ_PAGE' to value 'https://go.microsoft.com/fwlink/?linkid=846817'..[1BA4:1890][2024-10-03T09:25:50]i009: Command Line: '-burn.clean.room=C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe -burn.filehandle.attached=664 -burn.filehandle.self=692 /q'..[1BA4:1890][2024-10-03T09:25:50]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe'..[1BA4:1890][2024-10-03T09:25:50]i0

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550_000_dotnet_runtime_8.0.8_win_x64.msi.log

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):481408
                                                                                                                                                                                                Entropy (8bit):3.8482384941877634
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:aY2CM0sJZgj+A/Si1ouQ+Jz1XJOhjHQOsJSqmId/fEQIJ/fDCGTDk7j0fPbKyo6I:aYwj/oo5S
                                                                                                                                                                                                MD5:EEC5CC0243512D7FA5DA8F69FA2F210C
                                                                                                                                                                                                SHA1:E0DB436A2ABDBFE5316EE673CB4CA9739CCE3A07
                                                                                                                                                                                                SHA-256:FBA54EAA2F87ADF54572B5832DBE8D501F79267DFB4968B49E91AACCAFF4C77A
                                                                                                                                                                                                SHA-512:AC9AB098EE3495C5B519161980EAAEE5953F9D7B1759CAF04A4FD7F4C9342C9401C15D99DC239D9896511D6431FE426D461F9A2259CD69F4ED4CDB0058D9CFC9
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.3./.1.0./.2.0.2.4. . .0.9.:.2.5.:.5.2. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.E.3.D.3.D.0.2.5.-.2.D.0.A.-.4.8.2.D.-.A.9.5.0.-.2.A.2.E.2.C.F.D.D.7.F.8.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.8...0...8.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.E.8.:.7.4.). .[.0.9.:.2.5.:.5.2.:.5.3.0.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.E.8.:.7.4.). .[.0.9.:.2.5.:.5.2.:.5.3.0.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.E.8.:.7.4.). .[.0.9.:.2.5.:.5.2.:.5.3.0.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.9.A.C.B.2.3.D.B.-.4.D.3.2.-.4.9.E.D.-.A.5.E.3.-.F.4.E.2.F.8.D.9.D.2.A.A.}.v.6.4...3.2...1.8.3.8.0.\.d.o.t.

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550_001_dotnet_hostfxr_8.0.8_win_x64.msi.log

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with very long lines (399), with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):98256
                                                                                                                                                                                                Entropy (8bit):3.794351013904152
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:aZhFr0Mb9LEQ3VMBfk2NcDELg0pUKcQD+YGJv58UHpRJjbJDK+eh0u36X6U75Dxt:aZhFr0Mb9KmJYauaV75DxHFvjzCbTfwR
                                                                                                                                                                                                MD5:7BE44877F19C99FD3C721360053BFB6C
                                                                                                                                                                                                SHA1:E99B5AB683CADE636679FF5A514823B189A8721A
                                                                                                                                                                                                SHA-256:0FBDB902E10260CAE0DC505F03EEF96D6F20C1904D2989C57296CDAE0EA46210
                                                                                                                                                                                                SHA-512:1BF0918D9EF10BF1CBDF02F9A311C60310219BB6DC940CCD90ED1B7FC6D5321B40BB27D94AF1CD496A021686966E6E662AE63748AD3EF675C45562AC96E8E376
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.3./.1.0./.2.0.2.4. . .0.9.:.2.6.:.0.2. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.E.3.D.3.D.0.2.5.-.2.D.0.A.-.4.8.2.D.-.A.9.5.0.-.2.A.2.E.2.C.F.D.D.7.F.8.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.8...0...8.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.E.8.:.D.8.). .[.0.9.:.2.6.:.0.2.:.4.1.5.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.E.8.:.D.8.). .[.0.9.:.2.6.:.0.2.:.4.1.5.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.E.8.:.D.8.). .[.0.9.:.2.6.:.0.2.:.4.1.5.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.7.F.E.2.4.4.5.8.-.0.7.9.6.-.4.4.2.8.-.9.9.C.2.-.9.A.0.F.8.D.A.B.9.3.C.C.}.v.6.4...3.2...1.8.3.8.0.\.d.o.t.

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550_002_dotnet_host_8.0.8_win_x64.msi.log

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with very long lines (384), with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):108558
                                                                                                                                                                                                Entropy (8bit):3.792858140296743
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:aOS4K7/ekZPsLQlkxwXsjQwKePE58blQVP8Tso3vGOT:avejd+OT
                                                                                                                                                                                                MD5:F3DE598FE96A4C1FABFECD16C2356CF7
                                                                                                                                                                                                SHA1:90EC289ABB0F9BD898C4E0F63C9A8C35F433649E
                                                                                                                                                                                                SHA-256:C18E7EC58CAF05DE6D6DA999B1F6CAB3DD68A539C4EBD9FFA2438F6402C4DB64
                                                                                                                                                                                                SHA-512:6F945BFF134A12D4521365DFA60F17406BC269EF9C437E4EEEEB8F067363CDABE311DF4CA7FBBEC853E59870068CCC1294354079D6BC8E5E066F0D6B19B6FD08
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.3./.1.0./.2.0.2.4. . .0.9.:.2.6.:.0.3. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.E.3.D.3.D.0.2.5.-.2.D.0.A.-.4.8.2.D.-.A.9.5.0.-.2.A.2.E.2.C.F.D.D.7.F.8.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.8...0...8.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.E.8.:.0.8.). .[.0.9.:.2.6.:.0.3.:.7.5.0.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.E.8.:.0.8.). .[.0.9.:.2.6.:.0.3.:.7.5.0.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.E.8.:.0.8.). .[.0.9.:.2.6.:.0.3.:.7.5.0.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.3.B.A.2.4.2.F.8.-.B.D.B.5.-.4.0.9.6.-.9.F.B.C.-.3.3.3.C.D.6.6.3.B.B.A.D.}.v.6.4...3.2...1.8.3.8.0.\.d.o.t.

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_coooafxz.1l5.ps1

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jg1g3kv0.kvx.psm1

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nujrht2y.bw0.psm1

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ttyr1gve.ls5.ps1

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\1028\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):5553
                                                                                                                                                                                                Entropy (8bit):6.2424208874824725
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTZKDsA9tfHP8+8nhM0WamzLdDF6uavGNZ2mfGvsNn957jQUA9+0E/sMvBWrw3:ItfdT/dJ6uavGNhgsNn9Kqpqw3
                                                                                                                                                                                                MD5:EC9F997A642901D07618E51B1058D87A
                                                                                                                                                                                                SHA1:44F5092BEFCBDB3E9052BD4C124562413E0B57B0
                                                                                                                                                                                                SHA-256:5D287E07659C1081C0ECAC0B283BAC98FAB1E0B7DE984CFFE3CB6935526E558E
                                                                                                                                                                                                SHA-512:07475C0E56A3D7FDCB5564DEE6752FABEC01718635C4B93CFC34F813448844141E486AFE59A4472E5D21DE594C6FF7C030FE2DDD178BE8448DF14D63B7ADE02B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">............. 10 ...............? ......!</String>.. <String Id="ConfirmCancelMessage">......?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">...</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ................. ......................../passive | /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ......

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\1029\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6250
                                                                                                                                                                                                Entropy (8bit):5.419218936280823
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTXmBtPxxHOy/9xXfpZJYnRI5C5J/FD/21jvaljZxEh27LioUGbtfXF:hM5xHOy/9dJiROo7/UjvWjIWXF
                                                                                                                                                                                                MD5:920BAE759C31B0A4DC5FB150F9987C2D
                                                                                                                                                                                                SHA1:306EA0CA7E196FAE93B9A49B9959C05B3CA05BBF
                                                                                                                                                                                                SHA-256:4870D2D3BD4BF4025C5001E27BC93E8E96EB7819D3F0368E50391EFCFD28B0C0
                                                                                                                                                                                                SHA-512:45B11C88C67E7C613B7B8C98B1BC8EBBA28D1404E80A10226CA6DD8454F2C07377C06BFCF917C7A98FF83A0BA7A94708A8E4C3013D897BC9EBF08F1C159F2872
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instala.n. program pro [WixBundleName]</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Pot.ebujete jenom prost.ed., textov. editor a 10 minut .asu.....Jste p.ipraveni? Dejme se tedy do toho!</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">P.edchoz. verze</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive | /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.cho

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\1031\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6289
                                                                                                                                                                                                Entropy (8bit):5.1475182038122815
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JT5wUYN7xSbu0N8+0P9HjNnxjOjB5gBgaOzM0vLpucu+5bZkS:P8wnInxjOjrvBgiok
                                                                                                                                                                                                MD5:521E195CD8DA553C400210134BFFB7C6
                                                                                                                                                                                                SHA1:E8C5A4D63531255A905C1C17E9F40E50C95BA2FE
                                                                                                                                                                                                SHA-256:A517E0DC95689A30D505B64AC0056911B8FEB6F7EB757E628EE9701F9914705D
                                                                                                                                                                                                SHA-512:41AAB4C94F99EC0198518467DB25658A633A4D3B243BB2E7C73B6752851985299B7EB560B89080AF7E8BE874D8EA1D704228B5FB5E0C28F598A38D9E1A131FFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName]-Installationsprogramm</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Sie ben.tigen nur eine Shell, einen Text-Editor und 10 Minuten Zeit.....Bereit? Los geht's!</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Vorherige Version</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive | /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeauffo

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\1033\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):5666
                                                                                                                                                                                                Entropy (8bit):5.135580298015055
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JT0abTxmup/vrCKATQdYQHdYCwgoVOBq9L05kbSED:XQNkdYQHdYCYa+D
                                                                                                                                                                                                MD5:34D0C531EED48550BE3D877290AD2553
                                                                                                                                                                                                SHA1:7983955032F9E7D2EE72CABC644A14C892A92289
                                                                                                                                                                                                SHA-256:0D2ABDE2E4974CC8B7231F017975180D67592EE6D3418CD6DC52E2BC4BF03E50
                                                                                                                                                                                                SHA-512:0C9D916AC420C6A27E723D8BAB2DB80372CC6303C79A6E1C3B2BD462711B711F2CC45FAE43CEB2CE603708C884B0EC6BB7217981EF2A03E0FC3E6C6916716E7A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Installer</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">You just need a shell, a text editor and 10 minutes of your time.....Ready? Set? Let's go!</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Previous version</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will pro

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\1036\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6364
                                                                                                                                                                                                Entropy (8bit):5.155823387432471
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTmJdIpd14H1/qtwyD7HnhzXLjMYjMEy02v+krL1B8brV+w:kxk7Hnhz7jjj9z
                                                                                                                                                                                                MD5:0A6370788E721B6B3E7B1BA3AC2465CB
                                                                                                                                                                                                SHA1:884EF38EA64F42F9BB0C83BC35CC5B89B532E3E9
                                                                                                                                                                                                SHA-256:C8C8CC377FDA87FC95F08CA19FFFC8BB7C651714CA2A86328A5199499C1B2652
                                                                                                                                                                                                SHA-512:5608DE1EDEC18300D8F2A3FEE5C220482810C397421F704F6C7DB1CAA353CEFEB578A878CC80A786991EADD8FB552AC40DAA288E6D0467E25D2E0D7B141E3661
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Programme d.installation de [WixBundleName]</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Vous avez juste besoin d'un interpr.teur de commandes, d'un .diteur de texte et de 10 minutes...... vos marques ? Pr.t ? Partez !</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler ?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Version pr.c.dente</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [r.pertoire] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du bundle dans le r.pertoire. Install est l'option par d.faut...../passive | /quiet - affiche une interface utilisateur minimale, sans invite, ou n'affiche .. ni interfac

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\1040\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6087
                                                                                                                                                                                                Entropy (8bit):5.07987443069915
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTaw6wvw8WutJ/s55wNNNmNvDPWJUjH9e5jx9S/l7LcZ/dDsbgAPnv:Mwpn8vyajH9e5jUsDXSnv
                                                                                                                                                                                                MD5:D5406CF5DD2FAE872834E75C7D3F40AE
                                                                                                                                                                                                SHA1:064D4EB641DFFEBC5035FA5D9E745E5E55D6BB59
                                                                                                                                                                                                SHA-256:566855F16778BC38A21D7436634012C8BE88F130BE0C8208F428817C6909A2C3
                                                                                                                                                                                                SHA-512:430A685ACC3CDE36D0350D8B11666B6AA187EC768987660B01BBA1303BF616491F7DCB23B44D0920375F908EF2F2BDE3F93D9AB149FC6A585AF4BD6F8CA1DEA5
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Programma di installazione di [WixBundleName]</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Bastano solo una shell, un editor di testo e 10 minuti di tempo.....Pronti per iniziare?</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Versione precedente</String>.. <String Id="HelpHeader">Guida all'installazione</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . install...../passive | /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita, viene visualizzata l'int

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\1041\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):7072
                                                                                                                                                                                                Entropy (8bit):5.923578194560453
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTAiXgh+RN3vFo6bnpojeTPk0B/vueX5OA1yag81xCkHdGW2jK+bQaBU7jCfFr0Z:OsJ1D1D8rag81xCgdGfjK+o1/
                                                                                                                                                                                                MD5:518769C3DC7C02ABE436502F796DB87C
                                                                                                                                                                                                SHA1:64FA146FB0DE22ED2AC957B52CBF265ACB4BF1B8
                                                                                                                                                                                                SHA-256:4874722DFCBAEDB1F3A3FC056AEB29C23B615120AD3FF2004E0A1A7EAEA199F8
                                                                                                                                                                                                SHA-512:735431A8DB7D3AD6896161B1A959874D710F479BAA02A8FA05451647CFDDAED014269D7FA2DB798B6EB555BF7441C9767E73DA993D1A4D20327DF6CC2BBD9441
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">.............. ............ 10 ....................</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">........</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ............ ......... ...................................................................

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\1042\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6124
                                                                                                                                                                                                Entropy (8bit):6.051354088330984
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTFzghDJJCsgqf6YVoco4uU5VqI54U5TLzpDcmUUcdIoaUz3Ljw/zRPCvbkDE:7gaTcdusEAzxhUPA/zFCv
                                                                                                                                                                                                MD5:E6277413F4F7B1A2A66DA93286DDBA81
                                                                                                                                                                                                SHA1:3BAB1E1EFD22DACACD41B1CCC8179F412AA6A62E
                                                                                                                                                                                                SHA-256:64D81670498A4E96153385FA12CDAF911E416833098611FACBE088A98C5A39EE
                                                                                                                                                                                                SHA-512:9FDDC03DA63248C17F4D222F2EC7427922E071D1EF726DBCFA6A4D88C5757B904747B8F8A183BDC6055784AC0D1E515E000EFFAA2D777058428FBDB0A6549B87
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] .. ...</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">., ... ..., 10.. ... ... ..............? .....!</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">.. ..</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive | /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ....

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\1045\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (323), with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6374
                                                                                                                                                                                                Entropy (8bit):5.352390054047253
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JT3REmysPGriQBy2hGvf4JVuKZKezbJFGeZzLphouF1ebw4yo:pREmPGroKAKZKWb+z
                                                                                                                                                                                                MD5:31889677B54E21A1AF6E12FD62996BC7
                                                                                                                                                                                                SHA1:591D40DB00A7D36BE554F691634F379B3AC7CF26
                                                                                                                                                                                                SHA-256:1897D9892208F86581DAB7AE1D2EEDFD6E6F4D91E0F57B8913E3B9910BB27F7C
                                                                                                                                                                                                SHA-512:4481E6C4ACCFAB0A34691D897150AECFEE4743F2F09BDD35B30B6E78A7B97AE5EA5EC10511AC7A4B090D08337D6442AA28B93A6368B2B45826DD7C279518D05C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalator pakietu [WixBundleName]</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Potrzebujemy tylko pow.oki, edytora tekstu i 10 minut czasu.....Wszystko gotowe? Zaczynamy!</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Poprzednia wersja</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive | /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietla

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\1046\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6001
                                                                                                                                                                                                Entropy (8bit):5.199792832400898
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTfdWJGl2UsZMPHR2dj5VvvQjZ+zyhXLxgbNrxWHo:OA0+xU1VvvQKOI
                                                                                                                                                                                                MD5:1D5A1D142DDD01A0C8C31C97CEE49404
                                                                                                                                                                                                SHA1:5C9032FE5025D0BC53171ED103DA9AE1F672954D
                                                                                                                                                                                                SHA-256:D5CE147613ED4A06ACCE581D5B92A8E8CB828A614CAF8A4B4F8A9D301FAADB7C
                                                                                                                                                                                                SHA-512:26E705575951B1EEA98B066D0BBEB02FCF3A6EFC686E74E8616E372FBB55C54AC935CF665CC5047B7C6C835E4F7DC0E201DD7B0455F0A54FC437A3A1B02003B5
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalador do [WixBundleName]</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Voc. s. precisa de um shell, um editor de texto e 10 minutos de seu tempo.....Tudo pronto? Ent.o, vamos nessa!</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Vers.o anterior</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [diret.rio] - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive | /quiet - exibe a interface do usu.rio m.nima sem nenhum prompt ou n.o exibe nenhuma interface do usu.rio e.. nenhum prompt. Por padr.o, a interface do usu.rio

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\1049\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):7918
                                                                                                                                                                                                Entropy (8bit):5.450378547921216
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTdqaIgo/hyoJ88k193ip5gVvuuiu+q503GlEydoLG65bVg2XJ:+R9Zyip5gVGuiu+fW8Lfv
                                                                                                                                                                                                MD5:6045C0AD89F05F16C4C89164E30D7E24
                                                                                                                                                                                                SHA1:05CC19BBC915367A3729708B6F4E9928239391E4
                                                                                                                                                                                                SHA-256:7B6618E4AC81EC72B6A7C22D24D52B750817D16D4B3D4174F24254B43415D50E
                                                                                                                                                                                                SHA-512:89066D8A9018FBCEEA51D19AA591865327C0151F05386A93A9932009A6312B6D6045402DA2136C4FE0371DA296315C569110577EB76D06650588F9136C963FB4
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">.......... [WixBundleName]</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">... ......... ...... ........, ......... ........ . 10 ..... ..................? ..... .........!</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">.......... ......</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [.......] . ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... . ....

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\1055\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6107
                                                                                                                                                                                                Entropy (8bit):5.340937177058942
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTIKh5C6PHcIflKNTPgdi1mTWugzjKjJUSyJpx3APdbHQR:RdKNrmTWu6jKjCgE
                                                                                                                                                                                                MD5:65C296F0B153BCDFA4C4ED4F11A612F7
                                                                                                                                                                                                SHA1:18603ADACE54E4FF53D5D278815B64C037456C4E
                                                                                                                                                                                                SHA-256:C011CC5067F9D8707C45B411280E1987E239D7190E0B99F51EA8EC4A49C7A8E4
                                                                                                                                                                                                SHA-512:F56027BE10AA886C0FB45717C8276E6BFCA4BE6627C0BB9706B45AB41574511F6D2F719FF9E32CB3E11EEA944B38EDB2940059D53C47369A493C04DCF7963492
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Y.kleyicisi</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Yaln.zca bir kabu.a, bir metin d.zenleyicisine ve 10 dakikal.k bir zamana ihtiyac.n.z var.....Haz.r m.s.n.z? Haydi ba.layal.m!</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">.nceki s.r.m</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive | /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\2052\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):5527
                                                                                                                                                                                                Entropy (8bit):6.216354276018148
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTsnfsdy5kQR9GLkE0tkBq1bLZ6gWogUtmN3B5DQKaVc/Y0b1jITwo:KJ9oq1bLZ6UgMmN3ccIP
                                                                                                                                                                                                MD5:519420F88368C70A1C193BCE22B1D0C6
                                                                                                                                                                                                SHA1:C183E79EEEAC61F763F0C3FFAE23EE4FE1B128A3
                                                                                                                                                                                                SHA-256:E12D4F73C7D38A4961F54BBFCBFD8CBCDC94B0ED60C660CECEDCED6C09A63508
                                                                                                                                                                                                SHA-512:D68542475D4E5D26AD9EEFD0960A0BFE46AEE523513AB9112347293B0C3F9708AC1490954C7A66DD2776D19C819D93F997092DCE8F74D0611CF1803A2F9F0A8E
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">...... shell............ 10 ..............? ...? ......!</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">....</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [..] - .......... ..................Install ........../passive | /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ...............

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\3082\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6044
                                                                                                                                                                                                Entropy (8bit):5.110481885392164
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTyDAMLILaisbyxwz9sgIq27jIk3jnTPjO1Eu2H2i/XrKkbZzpu:OnCL7kMjnTjO10xVu
                                                                                                                                                                                                MD5:89BA9B90D627C4C0543A4441B4BDB2F6
                                                                                                                                                                                                SHA1:3DA9571BD155E8B671CFE258A97B886185273989
                                                                                                                                                                                                SHA-256:14EC5FA5D80DF55D857B591DE3BF34F49F63258DF31AA5A9410005866A11BD09
                                                                                                                                                                                                SHA-512:B78731A4CE7B0482C3B3AAA9434404DF0320E26A4ED3DA7E364E0F5EEFAEA79A9944D366FE5B77CF84F1F38600D52E25F00F90A7E729BC8428FE2923153CE17D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalador de [WixBundleName]</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Solo necesita un shell, un editor de texto y 10 minutos......Preparados? .Listos? .Ya!</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Versi.n anterior</String>.. <String Id="HelpHeader">Ayuda del programa de instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. Install es la opci.n predeterminada...../passive | /quiet - muestra una IU m.nima sin peticiones, o bien no muestra la IU .. ni las peticiones. De forma predeterminada, se muestran la IU y to

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\BootstrapperApplicationData.xml

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (564), with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6286
                                                                                                                                                                                                Entropy (8bit):3.7655208455506437
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:XeV2VS/V2Vvun6PCiZW0wsycRZfn63Ajjy0w0ycxan6L/i0wQyc8UbS2rSgK+rP9:X0sesvuUVEWfcAnPMIaonINm5slM
                                                                                                                                                                                                MD5:3DEDEB6F369642B6FB2434354683CBDB
                                                                                                                                                                                                SHA1:8B508F15F882AC042D9445BFC24412F83D2869B8
                                                                                                                                                                                                SHA-256:0EFF834D91F787E9FCC076A53D69034D1F99817E55A40AD1DFBDF14BB2A05687
                                                                                                                                                                                                SHA-512:9E1DE71C87A209D779070DED84403F7FBBA1EE19708AEF59C2EB696C8FD82D9C83171493718010B13CA429BCF0CAEB6690A010DD327321CB0F062D5977DE98B9
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".(.(.V.e.r.s.i.o.n.N.T. .&.g.t.;. .v.6...1.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.6...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).).". .M.e.s.s.a.g.e.=.".#.(.l.o.c...F.a.i.l.u.r.e.N.o.t.S.u.p.p.o.r.t.e.d.C.u.r.r.e.n.t.O.p.e.r.a.t.i.n.g.S.y.s.t.e.m.).". ./.>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T.6.4.". .M.e.s.s.a.g.e.=.".#.(.l.o.c...F.a.i.l.u.r.e.N.o.t.S.u.p.p.o.r.t.e.d.X.8.6.O.p.e.r.a.t.i.n.g.S.y.s.t.e.m.).". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .R.u.n.t.i.m.e. .-. .8...0...8. .(.x.6.4.).". .L.o.g.P.a.t.h.V.

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\bg.png

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:PNG image data, 620 x 418, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):4601
                                                                                                                                                                                                Entropy (8bit):6.635104571353389
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:u+Xg+NXWbdlIr33lx9W5OstaDIy3r5XpPyvZKmXYTDeiByNxcaaaaaaaaaaaaaaE:AaXWPIrHT932JsdpPyjqDeioatEn
                                                                                                                                                                                                MD5:9EB0320DFBF2BD541E6A55C01DDC9F20
                                                                                                                                                                                                SHA1:EB282A66D29594346531B1FF886D455E1DCD6D99
                                                                                                                                                                                                SHA-256:9095BF7B6BAA0107B40A4A6D727215BE077133A190F4CA9BD89A176842141E79
                                                                                                                                                                                                SHA-512:9ADA3A1757A493FBB004BD767FAB8F77430AF69D71479F340B8B8EDE904CC94CD733700DB593A4A2D2E1184C0081FD0648318D867128E1CB461021314990931D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.PNG........IHDR...l.........Z..|....sRGB.........gAMA......a.....pHYs..........o.d... IDATx^..}.].]...}...&..+.Ij.D..qp.b.......v(....h.[...E|.:.+.h..N...V.....`K.....BR.[....l...z_=.....K..n.....o...s.=.nf.s.9'........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N~.......S.Y.v.>{A......S?..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\eula.rtf

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):47889
                                                                                                                                                                                                Entropy (8bit):5.0783959060546975
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:32Kfuh/+YpJLdfxL1/pZ1ApGXjn8lcNLSx0:3Shj9bXQ0
                                                                                                                                                                                                MD5:CC06442CFC33D0AE6509143325C05110
                                                                                                                                                                                                SHA1:FC635958A57B88F63545CBEE1A37E3458CC547B0
                                                                                                                                                                                                SHA-256:72F2E7B06C562F1DD6CB3F6EFDCCD9AE620A183E598856AB3CBA6D712254824A
                                                                                                                                                                                                SHA-512:4D8A79347104501D89150A738DE24F700DC5D54D7CB05359C853A1189BF12B42E53B9E0B0D4A963C6AAA027D46D80A01AB2740BEE5D145C3597F1A7EFB48D4A9
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0302020204030204}Calibri Light;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Tim

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):5666
                                                                                                                                                                                                Entropy (8bit):5.135580298015055
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JT0abTxmup/vrCKATQdYQHdYCwgoVOBq9L05kbSED:XQNkdYQHdYCYa+D
                                                                                                                                                                                                MD5:34D0C531EED48550BE3D877290AD2553
                                                                                                                                                                                                SHA1:7983955032F9E7D2EE72CABC644A14C892A92289
                                                                                                                                                                                                SHA-256:0D2ABDE2E4974CC8B7231F017975180D67592EE6D3418CD6DC52E2BC4BF03E50
                                                                                                                                                                                                SHA-512:0C9D916AC420C6A27E723D8BAB2DB80372CC6303C79A6E1C3B2BD462711B711F2CC45FAE43CEB2CE603708C884B0EC6BB7217981EF2A03E0FC3E6C6916716E7A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Installer</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">You just need a shell, a text editor and 10 minutes of your time.....Ready? Set? Let's go!</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Previous version</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will pro

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\thm.xml

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):11313
                                                                                                                                                                                                Entropy (8bit):5.159333682138518
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:eCdhlFGZRd4UyAi0Rz96zYFGiRdl6dXXdT9gUoLNEmRG3QBinRFRK03K8+GGI9k4:eCSfiozkI/A
                                                                                                                                                                                                MD5:03CF60952E7B59460FD22807E8CB28E1
                                                                                                                                                                                                SHA1:5F4454019C5F33059AE53522FFB534EEF815A5F5
                                                                                                                                                                                                SHA-256:AF7C42AC777B45751763BCEAF8604FA5B842B096DA4D1370158A1C3422713555
                                                                                                                                                                                                SHA-512:BFB3C642759522CD4FD8C784909E97C38E6C44CCED11D70167D0E243D8DA12555A94AA2CD9978745849FA5233A1915485D3E1CB011D985C92A115E44A11B7140
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="660" Height="468" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="900" Foreground="FFFFFF" Background="D42B51">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.. <Font Id="5" Height="-14" Weight="500" Foreground="444444">Segoe UI</Font>.... <Text Name="Title" X="11" Y="11" Width="-11" Height="64" FontId="1" Visible="yes" Center="yes" DisablePrefix="yes">#(loc.Title)</Text>.... <Page Name="Help">.. <Text X="0" Y="0" Width="620" Height="75" FontId="1" />..

                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\wixstdba.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):220512
                                                                                                                                                                                                Entropy (8bit):6.754483649907534
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:K6EZdi6e93SuDeTKZxQfsRy26BqbUHYJe:K62i6eNSYeuZ2sRDK
                                                                                                                                                                                                MD5:F68F43F809840328F4E993A54B0D5E62
                                                                                                                                                                                                SHA1:01DA48CE6C81DF4835B4C2ECA7E1D447BE893D39
                                                                                                                                                                                                SHA-256:E921F69B9FB4B5AD4691809D06896C5F1D655AB75E0CE94A372319C243C56D4E
                                                                                                                                                                                                SHA-512:A7A799ECF1784FB5E8CD7191BF78B510FF5B07DB07363388D7B32ED21F4FDDC09E34D1160113395F728C0F4E57D13768A0350DBDB207D9224337D2153DC791E1
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........N............e......e..............................e......e......e..............*.......*.......*.d.............*.......Rich............PE..L......e...........!.........................0...............................@............@.............................................................`W... ..x.......T...........................8...@............0..X............................text............................... ..`.rdata.......0....... ..............@..@.data...............................@....rsrc...............................@..@.reloc..x.... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Users\user\AppData\Roaming\EtEskrivare.deps.json

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Users\user\Desktop\EtEskr.exe
                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):425
                                                                                                                                                                                                Entropy (8bit):4.416526990398622
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6:3HpMtN26mMBmdwHulAxm8qmRJJS0WzNoxmMBmd6WNYz/bNZzNIz/LyLNVhCuCTNl:KZAqg8qm00WOA6pz/Wz/2TZz/RMNUPY
                                                                                                                                                                                                MD5:EB7491724B6DA4BB0761AE5B9DA2C519
                                                                                                                                                                                                SHA1:FFC205E155C87F3079209EDA8FF9B787192189E3
                                                                                                                                                                                                SHA-256:476C21884B751C9BADBF31AA08181A3AA779942416D46CEC6268668234C21632
                                                                                                                                                                                                SHA-512:E802446126591FF20D659FB586E4E9713EA323B45B1698C5AA03207DF3966B0292DB8B07A478E70996B16752CE8D8591531BCC05E9FE75BCC4BE0D2AD5C1D4E6
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v8.0",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v8.0": {.. "EtEskrivare/1.0.0": {.. "runtime": {.. "EtEskrivare.dll": {}.. }.. }.. }.. },.. "libraries": {.. "EtEskrivare/1.0.0": {.. "type": "project",.. "serviceable": false,.. "sha512": "".. }.. }..}

                                                                                                                                                                                                C:\Users\user\AppData\Roaming\EtEskrivare.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Users\user\Desktop\EtEskr.exe
                                                                                                                                                                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):5632
                                                                                                                                                                                                Entropy (8bit):4.332460982885391
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:ziafdPj5DgQlzCchWf4x0HW5DPyyP9ezNt:O0wQ0cX0sDPP4
                                                                                                                                                                                                MD5:B36BBD3FFB26AE37C61042CD617B9604
                                                                                                                                                                                                SHA1:C6DFC3D2F5D7F77450F31AEC992577F5D538ED03
                                                                                                                                                                                                SHA-256:82AF966727E88309243D57E3A0CE2305D05673C4F1AF894B2C386059BE6329B2
                                                                                                                                                                                                SHA-512:05F243846A87E80933438829E04D6188A33E8F8254577A3AFE5DE774FA0E138D7B380647C5BB479808AFC29B1831ED5FF7B6D2BB66B5BB09BB90A64E8436433D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..............+... ...@....@.. ....................................`..................................+..O....@..d....................`.......*..T............................................ ............... ..H............text........ ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................+......H.......D!..T............................................................0...........r...p.s....%r(..po.....%rF..p.r...p(....o.....%.o.....%.o.....%.o.....%.o......s........o......o....&.o....o......o....o.......o.....r...p(......(.....r...p(.......(.........,..o......*........V.X.......".(.....*".(.....*".(.....*.BSJB............v4.0.30319......l.......#~......x...#Strings....t.......#US.8.......#GUID...H.......#Blob...........G..........3....................................

                                                                                                                                                                                                C:\Users\user\AppData\Roaming\EtEskrivare.exe

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Users\user\Desktop\EtEskr.exe
                                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):138752
                                                                                                                                                                                                Entropy (8bit):6.023822014030691
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:mjK4UGDHXrQ8hy7qgpHulWD9ZvZ5Pf3Ca10xuZ04ntfOVhBu5:mjK4TDUqgpqWDLZ5H+xuZ046hA
                                                                                                                                                                                                MD5:43D024998EC3E5791995017E6550DD9C
                                                                                                                                                                                                SHA1:AB09BAD27F8855769F5B6948AFFC234AF9F7DF8D
                                                                                                                                                                                                SHA-256:06C6F9788D240BC3C26564EFE40DD1B115F68383A51A16AB0813A028C98A93DE
                                                                                                                                                                                                SHA-512:663EC0E77EF1E236C6EAC104AF82593070CD2E5827779071662211EFDFF635D13257225E23C88AB207BDF08D3820849F7EB6E3DD8106CA136433F5C3C0CC7D66
                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G6..)e..)e..)elR*d..)elR-d..)elR,d..)e...e..)e.(d..)e..(ef.)e.U d..)e.U+d..)eRich..)e........................PE..d......f.........."....(.Z..........@..........@.............................p............`..........................................................`..`....0..\............P..(.......T.......................(...P...@............p...............................text...lY.......Z.................. ..`.rdata.......p.......^..............@..@.data...............................@....pdata..\....0......................@..@.reloc..(....P......................@..B.rsrc...`....`......................@..@................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Users\user\AppData\Roaming\EtEskrivare.pdb

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Users\user\Desktop\EtEskr.exe
                                                                                                                                                                                                File Type:Microsoft Roslyn C# debugging symbols version 1.0
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):10932
                                                                                                                                                                                                Entropy (8bit):6.558856357117839
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:aYMl7UnLk/cXVEtB10dapq/6PhR+6UiBicXwKa+25MahaSVIiV73HafyEVAn1whF:aYU5vtB10dapq/6PhR+6hBicgKa+2uHT
                                                                                                                                                                                                MD5:6B0A7C72DAE96D2834EC0971C297DD16
                                                                                                                                                                                                SHA1:BC270C734C9DB396884E49F2A82E6B7E3AA6E476
                                                                                                                                                                                                SHA-256:F6CCAAD0C508EE892FAE52C60AFAC0B165D7203D4078114DE194C949A25DF85E
                                                                                                                                                                                                SHA-512:5F89C80DC8476A94953ADF8978C819BBB5CB62167F83561EFD9756D9F2B8C0901F383AB0CF63E222430BEEEADCE9F41AA3D12CEA2850C4CA425BDC3D81C85F5A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:BSJB............PDB v1.0........|...H...#Pdb............#~......(...#Strings............#US.....`...#GUID...8...|(..#Blob....>g...D...&...@H.......G...............................................................................................4...>...n...x...................e...v.............w'....................................P...i...........V...V......................... .............R( ...k('.....'.....c................startInfo.error.process.script.output........)....B..w......bQ?.....S..O....t....xD.F.2..........J..Fb..K..GM~n.\L.....jt..R_u..E.. .q.R...C:.Users.revse.source.repos.EtEskrivare.Program.cs.\.......) ....c.....Y(W..k.v......kt...kC.ProgramBase.cs.\......._ .)..V.l..*...,n.Q$3....k.........ProgramBase1.cs.\......... NY=......\....%..s-..]Z.B..%.U}..obj.Debug.net8.0.EtEskrivare.GlobalUsings.g.cs.\............ ..4..%..&.......Q?a..V...a*...NETCoreApp,Version=v8.0.AssemblyAttributes.cs.\...........6 ...x..6%.9....:P80..Z.......v...EtEskrivare.AssemblyInfo

                                                                                                                                                                                                C:\Users\user\AppData\Roaming\EtEskrivare.runtimeconfig.json

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Users\user\Desktop\EtEskr.exe
                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):268
                                                                                                                                                                                                Entropy (8bit):4.625973475474904
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6:3Hp/hdNyhA0HI/XCkyFNOJeZS1MZeQ6NOOyPfKmn5BNTy:dFGp5MeU14hDS2r2
                                                                                                                                                                                                MD5:9FCDF880F73E74CF6347F8194B9F3509
                                                                                                                                                                                                SHA1:AB571C7ED4920129C89C7E083F3C9F22597198BC
                                                                                                                                                                                                SHA-256:162D81F468BEC570EC15E527433F4DE5D5729FFE338AB79B22671F38760D34BD
                                                                                                                                                                                                SHA-512:23EA2A78914AEEC443BDED1E6DDDB1FCE61F0445C53E0428E97353DCC25E9EE80A98603069DE336D57C1D12B00EB14AD59847137387DF330A3925BD763F4FDE1
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:{.. "runtimeOptions": {.. "tfm": "net8.0",.. "framework": {.. "name": "Microsoft.NETCore.App",.. "version": "8.0.0".. },.. "configProperties": {.. "System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization": false.. }.. }..}

                                                                                                                                                                                                C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Users\user\Desktop\EtEskr.exe
                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):28703680
                                                                                                                                                                                                Entropy (8bit):7.9984657206536305
                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                SSDEEP:786432:h3o1hsyO3dPtyxFERRoI7U8r/UMkK1ECijOL:3ym8UyIl732OL
                                                                                                                                                                                                MD5:6078CD9F0B46862256D9C8B3BB4F86EF
                                                                                                                                                                                                SHA1:2904CCECE8829423A636F8CB3D176EFFFA9D8921
                                                                                                                                                                                                SHA-256:2F902081294E31C82F7FFAE4B58483D05515FB3C979EC08B9D9942C5088FF542
                                                                                                                                                                                                SHA-512:57F2A276176661A340B96991B584BCB81BA3C0150E3684CB109B29CC3A8EBE6FDF1E586D948D498E7AAF22F7401C1CC94062C13CFFD20999771ECC5DFC2E917E
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<..........................PE..L......e..........................................@.......................................@.............................................:..............(...P...>.....T...................4........F..@...................T........................text...>........................... ..`.rdata..&...........................@..@.data...<...........................@....wixburn8...........................@..@.rsrc....:.......<..................@..@.reloc...>...P...@..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\475f6c.msi

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 8.0.8 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 8.0.8 (x64)., Template: x64;1033, Revision Number: {6AF517CA-B141-429F-9C4F-3B284175B717}, Create Time/Date: Tue Jul 16 22:42:12 2024, Last Saved Time/Date: Tue Jul 16 22:42:12 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):27648000
                                                                                                                                                                                                Entropy (8bit):7.99421368126692
                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                SSDEEP:393216:ng9KX0wCCa0yBBY2aUHkFkY3CHGaUKfi7KIyJ8+HLU4jm0z89CAuWoNzMHPdXpey:nUJ0yBnlk73csb7r+HLU4jHtYNdXbFF
                                                                                                                                                                                                MD5:F9D8FE368CBFA5731BEFC3698E9B109D
                                                                                                                                                                                                SHA1:AA5E1A3E6B3CEB6777376AF84C13E27690BE0CAC
                                                                                                                                                                                                SHA-256:38417C07721A97631B0B7780C0EB6544F08B3F611BDB95CEBCE1407F96E726A2
                                                                                                                                                                                                SHA-512:AF1E521A863CD56B3471F4EDC2C15E7F4332D5C6B7274EDF21DF2C79CE0AE0E3A21D6F37B32F2B61ED121078994333A749CFDE5663F4C25D4DA2F4B6FA4F7C0B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\475f6f.msi

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 8.0.8 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 8.0.8 (x64)., Template: x64;1033, Revision Number: {6AF517CA-B141-429F-9C4F-3B284175B717}, Create Time/Date: Tue Jul 16 22:42:12 2024, Last Saved Time/Date: Tue Jul 16 22:42:12 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):27648000
                                                                                                                                                                                                Entropy (8bit):7.99421368126692
                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                SSDEEP:393216:ng9KX0wCCa0yBBY2aUHkFkY3CHGaUKfi7KIyJ8+HLU4jm0z89CAuWoNzMHPdXpey:nUJ0yBnlk73csb7r+HLU4jHtYNdXbFF
                                                                                                                                                                                                MD5:F9D8FE368CBFA5731BEFC3698E9B109D
                                                                                                                                                                                                SHA1:AA5E1A3E6B3CEB6777376AF84C13E27690BE0CAC
                                                                                                                                                                                                SHA-256:38417C07721A97631B0B7780C0EB6544F08B3F611BDB95CEBCE1407F96E726A2
                                                                                                                                                                                                SHA-512:AF1E521A863CD56B3471F4EDC2C15E7F4332D5C6B7274EDF21DF2C79CE0AE0E3A21D6F37B32F2B61ED121078994333A749CFDE5663F4C25D4DA2F4B6FA4F7C0B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\475f70.msi

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host FX Resolver - 8.0.8 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host FX Resolver - 8.0.8 (x64)., Template: x64;1033, Revision Number: {BB639B51-1725-47F5-9229-90393A63E483}, Create Time/Date: Tue Jul 16 22:42:00 2024, Last Saved Time/Date: Tue Jul 16 22:42:00 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):868352
                                                                                                                                                                                                Entropy (8bit):6.7406278086618885
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:0tR4NlbhqU8VKIvZUlkj/cBhZeK4lu/XdmYwA:o6NldHWvZgkjcDefMFmq
                                                                                                                                                                                                MD5:53076072D81680ECBA82EA7648B204F0
                                                                                                                                                                                                SHA1:7A6DFC6EEF94A13D9F032040858EB2D5AA1D34F3
                                                                                                                                                                                                SHA-256:D63FB20F6B8D13D75B3E633DF7FB127721CAF5536963D66659FF29A5D3659F8C
                                                                                                                                                                                                SHA-512:0A8B019221CCFA4DEEF0D07245EFA0F578B9CCD24E24AEF87F5D9F56FC38067AB55A767179441978FAD340E8EC5B60EAC2C3F282247FBDCDD03980373D31513D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\475f73.msi

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host FX Resolver - 8.0.8 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host FX Resolver - 8.0.8 (x64)., Template: x64;1033, Revision Number: {BB639B51-1725-47F5-9229-90393A63E483}, Create Time/Date: Tue Jul 16 22:42:00 2024, Last Saved Time/Date: Tue Jul 16 22:42:00 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):868352
                                                                                                                                                                                                Entropy (8bit):6.7406278086618885
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:0tR4NlbhqU8VKIvZUlkj/cBhZeK4lu/XdmYwA:o6NldHWvZgkjcDefMFmq
                                                                                                                                                                                                MD5:53076072D81680ECBA82EA7648B204F0
                                                                                                                                                                                                SHA1:7A6DFC6EEF94A13D9F032040858EB2D5AA1D34F3
                                                                                                                                                                                                SHA-256:D63FB20F6B8D13D75B3E633DF7FB127721CAF5536963D66659FF29A5D3659F8C
                                                                                                                                                                                                SHA-512:0A8B019221CCFA4DEEF0D07245EFA0F578B9CCD24E24AEF87F5D9F56FC38067AB55A767179441978FAD340E8EC5B60EAC2C3F282247FBDCDD03980373D31513D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\475f74.msi

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host - 8.0.8 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host - 8.0.8 (x64)., Template: x64;1033, Revision Number: {364B6B15-82BE-426F-A13C-DD7A2B6B2EA4}, Create Time/Date: Tue Jul 16 22:41:10 2024, Last Saved Time/Date: Tue Jul 16 22:41:10 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):798720
                                                                                                                                                                                                Entropy (8bit):6.549856617597805
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:uVOm7qU8VKIvZUlkj/cBhZeK4lu/XdmYw+:uMm7HWvZgkjcDefMFmA
                                                                                                                                                                                                MD5:D7A4563316F82FAC2C537B5A040F5039
                                                                                                                                                                                                SHA1:6A25647F3296F4A328A2EDB1A82BD2FAA1D3FCE8
                                                                                                                                                                                                SHA-256:BA926ABCF18FEBAF15395A58328B92AC8C4EB2B335060B46A560280C8C1B6DA0
                                                                                                                                                                                                SHA-512:32160AFCF8F7A066AEDD4FC3449E1B8C6F104861FC9606E99E7AF9593AFA726895B04AA05F609E3CE8EEDD4464EF5C25436932B1E97E14FF59574D70F4B1CECF
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\475f77.msi

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host - 8.0.8 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host - 8.0.8 (x64)., Template: x64;1033, Revision Number: {364B6B15-82BE-426F-A13C-DD7A2B6B2EA4}, Create Time/Date: Tue Jul 16 22:41:10 2024, Last Saved Time/Date: Tue Jul 16 22:41:10 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):798720
                                                                                                                                                                                                Entropy (8bit):6.549856617597805
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:uVOm7qU8VKIvZUlkj/cBhZeK4lu/XdmYw+:uMm7HWvZgkjcDefMFmA
                                                                                                                                                                                                MD5:D7A4563316F82FAC2C537B5A040F5039
                                                                                                                                                                                                SHA1:6A25647F3296F4A328A2EDB1A82BD2FAA1D3FCE8
                                                                                                                                                                                                SHA-256:BA926ABCF18FEBAF15395A58328B92AC8C4EB2B335060B46A560280C8C1B6DA0
                                                                                                                                                                                                SHA-512:32160AFCF8F7A066AEDD4FC3449E1B8C6F104861FC9606E99E7AF9593AFA726895B04AA05F609E3CE8EEDD4464EF5C25436932B1E97E14FF59574D70F4B1CECF
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\MSI642F.tmp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):250736
                                                                                                                                                                                                Entropy (8bit):6.765155684437659
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\MSI65A7.tmp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):69506
                                                                                                                                                                                                Entropy (8bit):5.65218566422496
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:D/y1vkzwNsnEU3M+7tEOYVSFu9F3UJ2M6K8r:ryBkzNEU3M+fS33UsMNK
                                                                                                                                                                                                MD5:9AF5F59962C6A796883042AD00810F54
                                                                                                                                                                                                SHA1:3022A087298CD404E382DE7B0AB2161889FDDE3F
                                                                                                                                                                                                SHA-256:878AA9774512E0467673495B630D189025CFDEF362197D265B5A5FA9CDAF7009
                                                                                                                                                                                                SHA-512:9F86A52969CF79A993D59531BF49F898D333FB5E410C638B4FF71ADE4B20450E10639CAC35E30D08F016FEB8B1961B7124F40D91466B115561850FB771C99E9D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:...@IXOS.@.....@<KCY.@.....@.....@.....@.....@.....@......&.{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA}$.Microsoft .NET Runtime - 8.0.8 (x64) .dotnet-runtime-8.0.8-win-x64.msi.@.....@.G @.@.....@........&.{6AF517CA-B141-429F-9C4F-3B284175B717}.....@.....@.....@.....@.......@.....@.....@.......@....$.Microsoft .NET Runtime - 8.0.8 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{3C4C024C-2130-52A6-970B-70C150A9C6A1}R.02:\Software\Classes\Installer\Dependencies\dotnet_runtime_64.32.18380_x64\Version.@.......@.....@.....@......&.{6CB89BA5-BA15-534E-A68E-2264932E5941}C.C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\.version.@.......@.....@.....@......&.{9ADA46AD-09F9-5ECD-900E-DBDF4918CCBC}G.C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clretwrc.dll.@.......@.....@.....@......&.{065DBC19-6591-5CC8-9436-232F964F0892}D.C:\Program

                                                                                                                                                                                                C:\Windows\Installer\MSI814E.tmp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):250736
                                                                                                                                                                                                Entropy (8bit):6.765155684437659
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\MSI87B7.tmp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):250736
                                                                                                                                                                                                Entropy (8bit):6.765155684437659
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\MSI8864.tmp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):2789
                                                                                                                                                                                                Entropy (8bit):5.766267063623249
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:WWL8Fo3uDSXBz5DhRnzCUHMb6P32p+1ku2D8SBhRQM8u2VeU1D5nF1aFWRD2kgNo:WWLiexNdRhHP5DSHRGuke6FVD2kyEPj
                                                                                                                                                                                                MD5:C6242DB12155E7113273464C24D03CF0
                                                                                                                                                                                                SHA1:148E61E0008AF4ACB6901C27F6490D8553CCF755
                                                                                                                                                                                                SHA-256:16AC0F701ABD7F055E45AC68BBBE2A3EA25063C70625BC5FD2D7C1D54E2F8FAE
                                                                                                                                                                                                SHA-512:1C1FD70E2D26DD165D472F87BBF96BBF88469DAB98B403D6EED2DDF61A0555C12384A1E5C98A5B52DF579110756007873247B8A1F799A3B1933C6E1340AA113B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:...@IXOS.@.....@BKCY.@.....@.....@.....@.....@.....@......&.{7FE24458-0796-4428-99C2-9A0F8DAB93CC}-.Microsoft .NET Host FX Resolver - 8.0.8 (x64) .dotnet-hostfxr-8.0.8-win-x64.msi.@.....@.G @.@.....@........&.{BB639B51-1725-47F5-9229-90393A63E483}.....@.....@.....@.....@.......@.....@.....@.......@....-.Microsoft .NET Host FX Resolver - 8.0.8 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{A7B38373-46D8-574E-BFAC-69B10BFA5D28}V.02:\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.32.18380_x64\Version.@.......@.....@.....@......&.{1DC8D66C-83D7-58FD-A401-939C300FD86E}2.C:\Program Files\dotnet\host\fxr\8.0.8\hostfxr.dll.@.......@.....@.....@......&.{8EC524B8-7864-5ACE-B320-2D36216EBC12}?.02:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\hostfxr\Version.@.......@.....@.....@........InstallFiles..Copying new files&.File: [1], Director

                                                                                                                                                                                                C:\Windows\Installer\MSI8902.tmp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):250736
                                                                                                                                                                                                Entropy (8bit):6.765155684437659
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\MSI8B45.tmp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):250736
                                                                                                                                                                                                Entropy (8bit):6.765155684437659
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\MSI8C11.tmp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):4228
                                                                                                                                                                                                Entropy (8bit):5.720082232059593
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:CLhe2VSdeVPQHLxwj5FApenX/uce6REeOcbD/kmEPgcieZcx:ehESUCkpo/uce6OhmW2X
                                                                                                                                                                                                MD5:A23034CC8AAF9DC8A235B2B55C94D0BA
                                                                                                                                                                                                SHA1:986E01D712ECFA9294D422A0F002BA05F04AC32B
                                                                                                                                                                                                SHA-256:33EC4E45E87C515F7A466B6F2113FD61075A78184B4208D5A53F83339F4DC01D
                                                                                                                                                                                                SHA-512:1AE7778692F241D63BD74A598D096FAFCA17F42162DB75FDA1CC11A6D47BA23D246F5121D4AF6040177102C0357BA2FFE9E78D0D57697C4F1AF72F44E8057F1D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:...@IXOS.@.....@CKCY.@.....@.....@.....@.....@.....@......&.{3BA242F8-BDB5-4096-9FBC-333CD663BBAD}!.Microsoft .NET Host - 8.0.8 (x64)..dotnet-host-8.0.8-win-x64.msi.@.....@.G @.@.....@........&.{364B6B15-82BE-426F-A13C-DD7A2B6B2EA4}.....@.....@.....@.....@.......@.....@.....@.......@....!.Microsoft .NET Host - 8.0.8 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{7ECCA0D4-8C88-50DD-A538-CDC29B9350D1}Q.02:\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_8.0_x64\Version.@.......@.....@.....@......&.{45399BBB-DDA5-4386-A2E9-618FB3C54A18}".C:\Program Files\dotnet\dotnet.exe.@.......@.....@.....@......&.{EA9C3F98-F9B1-5212-8980-CFEAF2B15E0D}B.22:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\sharedhost\Version.@.......@.....@.....@......&.{E4E008C8-57A8-5040-BB34-03024B15B6C5}?.02:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\InstallLoc

                                                                                                                                                                                                C:\Windows\Installer\MSI8E25.tmp

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                Category:modified
                                                                                                                                                                                                Size (bytes):250736
                                                                                                                                                                                                Entropy (8bit):6.765155684437659
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\SourceHash{3BA242F8-BDB5-4096-9FBC-333CD663BBAD}

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                                Entropy (8bit):1.1724718354726056
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12:JSbX72FjbAGiLIlHVRpIh/7777777777777777777777777vDHFP50sU2ndirl0G:J9QI5wssUCdLF
                                                                                                                                                                                                MD5:92FAF284F8B333B2A26BB92A56ACB5C3
                                                                                                                                                                                                SHA1:02402FE3E90A9DABCB69A37ED593942BF124BBBD
                                                                                                                                                                                                SHA-256:084DBF72C7805E1EF906F1FB39F3E85025D901D4ED5835CF59615B707FD6461F
                                                                                                                                                                                                SHA-512:FA279188562EA477C6F9B37EC55141C88AD9C3C9F73852D65562A863275A0E8342CA2BBDE82370799BC80987977E0DA27F9CF9D576AEDD3654EBDC1D861FD886
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\SourceHash{7FE24458-0796-4428-99C2-9A0F8DAB93CC}

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                                Entropy (8bit):1.1739582831517708
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12:JSbX72Fju0AGiLIlHVRpbh/7777777777777777777777777vDHFHhyCl7UM1l0G:Jk0QI5/lhyCl798F
                                                                                                                                                                                                MD5:D831FEB70631365CCE127B35ADC2EC11
                                                                                                                                                                                                SHA1:55068CA2F50B5407808BEB613C4F5F3CE016ADB2
                                                                                                                                                                                                SHA-256:B850F2436C66E53E127EB5973538D8BB3A44CEDE420CF8AECC63439BC1F2E72D
                                                                                                                                                                                                SHA-512:6116865CE30B24DFC920A02A799F25340B77FC464BCF7AE8960CEC57D91678025DDC7E53E4A4F31C663C3609FFB1B1660A1B4EE895C1D7B69159855634E87D09
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\SourceHash{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA}

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                                Entropy (8bit):1.1737306093361644
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12:JSbX72FjSCaAGiLIlHVRpbh/7777777777777777777777777vDHF4kIPXuvQM1z:JQCaQI5/U+vR8F
                                                                                                                                                                                                MD5:955A7325BFC700B58CA3534897192496
                                                                                                                                                                                                SHA1:953FD27B308DCEB57D791F2944F0057BD6898C87
                                                                                                                                                                                                SHA-256:5EE0F62BE2F0278A1684021A5E6CB69E8B9F55DE1DC25223FF9518CC62B3CF68
                                                                                                                                                                                                SHA-512:7C5B2A45875CFF39CB849C5DB86647F3B16554EFD4C7AD12A63AD8D4478F3A70BD78EE815416EA0000F7D148436C3FD6D9BB338AD058C4815ADC0F79800971B9
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                                Entropy (8bit):1.578482052600408
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:o8PhOuRc06WXzEFT5JdAblNOjeSjndd4d/EgvUbQqSsndd4dXE1ZRI:3hO15FTNcPOS9B8Nv
                                                                                                                                                                                                MD5:4A3F9ECEF1043E5F4C2AF4C2F2A29D9C
                                                                                                                                                                                                SHA1:AD4A6C727FD094E6DF608319B3DCF16463AEDB53
                                                                                                                                                                                                SHA-256:7325D3B7EC948C97F1D2BAF4D0B2BE44E86020A9C6E12E722ACBFBBDE94488F6
                                                                                                                                                                                                SHA-512:BD34F591793D0F640F430A3B9F802E45535CB26B29FE12A8B8FB97E947DC3BA80367C22E321522511F92B09BA090B2EACA9DEE85E25EE3E40F53ED18FD1A0C42
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):360001
                                                                                                                                                                                                Entropy (8bit):5.362962394435796
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauM:zTtbmkExhMJCIpEN
                                                                                                                                                                                                MD5:E8CC192448FBFA6731FF0C4161EACD1B
                                                                                                                                                                                                SHA1:352AC5BA213A4EC0ED9D532A6DF5D0DD94CFEC99
                                                                                                                                                                                                SHA-256:ECFA1D31B5F707346DFF8B59A04DDD117E5CE0776311F9D49615DEE5B1A190D5
                                                                                                                                                                                                SHA-512:9AB51BE0A17A81F6A382A90F26E6EF0E338444027B69C3FC7C2A8D3C2F0FC44E7ABFB38BBA9EC49D25BA0C8D12C5BD9396CFEC26AC6C2443CC9FA492FCFC7E22
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):650576
                                                                                                                                                                                                Entropy (8bit):7.1821161714009305
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:v3mgqnIZuYfCYqFet4CovkM7XtZnEdckfNH2t2hQxP5:v3WnIZuMCxezot7dF/95
                                                                                                                                                                                                MD5:C0CBF8F15105720847041131C8C45598
                                                                                                                                                                                                SHA1:8BF4AD72E787F557114347654EE9164892A09EC3
                                                                                                                                                                                                SHA-256:25F18502EF7C8FD93D93799C6ACB20AF1622FD89084151BB19FF44182AC4C817
                                                                                                                                                                                                SHA-512:EA97D69E05F6828A3D31A0161A43A135C76AB99674EB16938B8A3746ABAD4207854CE4B6D9AE9376D64320BE6C6D71E90FB0724937106AE7044AFD667F0929F5
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<..........................PE..L......e..........................................@......................................@.............................................:..............@)...P...>.....T...................4........F..@...................T........................text...>........................... ..`.rdata..&...........................@..@.data...<...........................@....wixburn8...........................@..@.rsrc....:.......<..................@..@.reloc...>...P...@..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\1028\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):5553
                                                                                                                                                                                                Entropy (8bit):6.2424208874824725
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTZKDsA9tfHP8+8nhM0WamzLdDF6uavGNZ2mfGvsNn957jQUA9+0E/sMvBWrw3:ItfdT/dJ6uavGNhgsNn9Kqpqw3
                                                                                                                                                                                                MD5:EC9F997A642901D07618E51B1058D87A
                                                                                                                                                                                                SHA1:44F5092BEFCBDB3E9052BD4C124562413E0B57B0
                                                                                                                                                                                                SHA-256:5D287E07659C1081C0ECAC0B283BAC98FAB1E0B7DE984CFFE3CB6935526E558E
                                                                                                                                                                                                SHA-512:07475C0E56A3D7FDCB5564DEE6752FABEC01718635C4B93CFC34F813448844141E486AFE59A4472E5D21DE594C6FF7C030FE2DDD178BE8448DF14D63B7ADE02B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">............. 10 ...............? ......!</String>.. <String Id="ConfirmCancelMessage">......?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">...</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ................. ......................../passive | /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ......

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\1029\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6250
                                                                                                                                                                                                Entropy (8bit):5.419218936280823
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTXmBtPxxHOy/9xXfpZJYnRI5C5J/FD/21jvaljZxEh27LioUGbtfXF:hM5xHOy/9dJiROo7/UjvWjIWXF
                                                                                                                                                                                                MD5:920BAE759C31B0A4DC5FB150F9987C2D
                                                                                                                                                                                                SHA1:306EA0CA7E196FAE93B9A49B9959C05B3CA05BBF
                                                                                                                                                                                                SHA-256:4870D2D3BD4BF4025C5001E27BC93E8E96EB7819D3F0368E50391EFCFD28B0C0
                                                                                                                                                                                                SHA-512:45B11C88C67E7C613B7B8C98B1BC8EBBA28D1404E80A10226CA6DD8454F2C07377C06BFCF917C7A98FF83A0BA7A94708A8E4C3013D897BC9EBF08F1C159F2872
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instala.n. program pro [WixBundleName]</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Pot.ebujete jenom prost.ed., textov. editor a 10 minut .asu.....Jste p.ipraveni? Dejme se tedy do toho!</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">P.edchoz. verze</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive | /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.cho

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\1031\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6289
                                                                                                                                                                                                Entropy (8bit):5.1475182038122815
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JT5wUYN7xSbu0N8+0P9HjNnxjOjB5gBgaOzM0vLpucu+5bZkS:P8wnInxjOjrvBgiok
                                                                                                                                                                                                MD5:521E195CD8DA553C400210134BFFB7C6
                                                                                                                                                                                                SHA1:E8C5A4D63531255A905C1C17E9F40E50C95BA2FE
                                                                                                                                                                                                SHA-256:A517E0DC95689A30D505B64AC0056911B8FEB6F7EB757E628EE9701F9914705D
                                                                                                                                                                                                SHA-512:41AAB4C94F99EC0198518467DB25658A633A4D3B243BB2E7C73B6752851985299B7EB560B89080AF7E8BE874D8EA1D704228B5FB5E0C28F598A38D9E1A131FFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName]-Installationsprogramm</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Sie ben.tigen nur eine Shell, einen Text-Editor und 10 Minuten Zeit.....Bereit? Los geht's!</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Vorherige Version</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive | /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeauffo

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\1033\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):5666
                                                                                                                                                                                                Entropy (8bit):5.135580298015055
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JT0abTxmup/vrCKATQdYQHdYCwgoVOBq9L05kbSED:XQNkdYQHdYCYa+D
                                                                                                                                                                                                MD5:34D0C531EED48550BE3D877290AD2553
                                                                                                                                                                                                SHA1:7983955032F9E7D2EE72CABC644A14C892A92289
                                                                                                                                                                                                SHA-256:0D2ABDE2E4974CC8B7231F017975180D67592EE6D3418CD6DC52E2BC4BF03E50
                                                                                                                                                                                                SHA-512:0C9D916AC420C6A27E723D8BAB2DB80372CC6303C79A6E1C3B2BD462711B711F2CC45FAE43CEB2CE603708C884B0EC6BB7217981EF2A03E0FC3E6C6916716E7A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Installer</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">You just need a shell, a text editor and 10 minutes of your time.....Ready? Set? Let's go!</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Previous version</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will pro

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\1036\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6364
                                                                                                                                                                                                Entropy (8bit):5.155823387432471
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTmJdIpd14H1/qtwyD7HnhzXLjMYjMEy02v+krL1B8brV+w:kxk7Hnhz7jjj9z
                                                                                                                                                                                                MD5:0A6370788E721B6B3E7B1BA3AC2465CB
                                                                                                                                                                                                SHA1:884EF38EA64F42F9BB0C83BC35CC5B89B532E3E9
                                                                                                                                                                                                SHA-256:C8C8CC377FDA87FC95F08CA19FFFC8BB7C651714CA2A86328A5199499C1B2652
                                                                                                                                                                                                SHA-512:5608DE1EDEC18300D8F2A3FEE5C220482810C397421F704F6C7DB1CAA353CEFEB578A878CC80A786991EADD8FB552AC40DAA288E6D0467E25D2E0D7B141E3661
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Programme d.installation de [WixBundleName]</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Vous avez juste besoin d'un interpr.teur de commandes, d'un .diteur de texte et de 10 minutes...... vos marques ? Pr.t ? Partez !</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler ?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Version pr.c.dente</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [r.pertoire] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du bundle dans le r.pertoire. Install est l'option par d.faut...../passive | /quiet - affiche une interface utilisateur minimale, sans invite, ou n'affiche .. ni interfac

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\1040\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6087
                                                                                                                                                                                                Entropy (8bit):5.07987443069915
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTaw6wvw8WutJ/s55wNNNmNvDPWJUjH9e5jx9S/l7LcZ/dDsbgAPnv:Mwpn8vyajH9e5jUsDXSnv
                                                                                                                                                                                                MD5:D5406CF5DD2FAE872834E75C7D3F40AE
                                                                                                                                                                                                SHA1:064D4EB641DFFEBC5035FA5D9E745E5E55D6BB59
                                                                                                                                                                                                SHA-256:566855F16778BC38A21D7436634012C8BE88F130BE0C8208F428817C6909A2C3
                                                                                                                                                                                                SHA-512:430A685ACC3CDE36D0350D8B11666B6AA187EC768987660B01BBA1303BF616491F7DCB23B44D0920375F908EF2F2BDE3F93D9AB149FC6A585AF4BD6F8CA1DEA5
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Programma di installazione di [WixBundleName]</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Bastano solo una shell, un editor di testo e 10 minuti di tempo.....Pronti per iniziare?</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Versione precedente</String>.. <String Id="HelpHeader">Guida all'installazione</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . install...../passive | /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita, viene visualizzata l'int

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\1041\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):7072
                                                                                                                                                                                                Entropy (8bit):5.923578194560453
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTAiXgh+RN3vFo6bnpojeTPk0B/vueX5OA1yag81xCkHdGW2jK+bQaBU7jCfFr0Z:OsJ1D1D8rag81xCgdGfjK+o1/
                                                                                                                                                                                                MD5:518769C3DC7C02ABE436502F796DB87C
                                                                                                                                                                                                SHA1:64FA146FB0DE22ED2AC957B52CBF265ACB4BF1B8
                                                                                                                                                                                                SHA-256:4874722DFCBAEDB1F3A3FC056AEB29C23B615120AD3FF2004E0A1A7EAEA199F8
                                                                                                                                                                                                SHA-512:735431A8DB7D3AD6896161B1A959874D710F479BAA02A8FA05451647CFDDAED014269D7FA2DB798B6EB555BF7441C9767E73DA993D1A4D20327DF6CC2BBD9441
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">.............. ............ 10 ....................</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">........</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ............ ......... ...................................................................

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\1042\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6124
                                                                                                                                                                                                Entropy (8bit):6.051354088330984
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTFzghDJJCsgqf6YVoco4uU5VqI54U5TLzpDcmUUcdIoaUz3Ljw/zRPCvbkDE:7gaTcdusEAzxhUPA/zFCv
                                                                                                                                                                                                MD5:E6277413F4F7B1A2A66DA93286DDBA81
                                                                                                                                                                                                SHA1:3BAB1E1EFD22DACACD41B1CCC8179F412AA6A62E
                                                                                                                                                                                                SHA-256:64D81670498A4E96153385FA12CDAF911E416833098611FACBE088A98C5A39EE
                                                                                                                                                                                                SHA-512:9FDDC03DA63248C17F4D222F2EC7427922E071D1EF726DBCFA6A4D88C5757B904747B8F8A183BDC6055784AC0D1E515E000EFFAA2D777058428FBDB0A6549B87
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] .. ...</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">., ... ..., 10.. ... ... ..............? .....!</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">.. ..</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive | /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ....

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\1045\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (323), with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6374
                                                                                                                                                                                                Entropy (8bit):5.352390054047253
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JT3REmysPGriQBy2hGvf4JVuKZKezbJFGeZzLphouF1ebw4yo:pREmPGroKAKZKWb+z
                                                                                                                                                                                                MD5:31889677B54E21A1AF6E12FD62996BC7
                                                                                                                                                                                                SHA1:591D40DB00A7D36BE554F691634F379B3AC7CF26
                                                                                                                                                                                                SHA-256:1897D9892208F86581DAB7AE1D2EEDFD6E6F4D91E0F57B8913E3B9910BB27F7C
                                                                                                                                                                                                SHA-512:4481E6C4ACCFAB0A34691D897150AECFEE4743F2F09BDD35B30B6E78A7B97AE5EA5EC10511AC7A4B090D08337D6442AA28B93A6368B2B45826DD7C279518D05C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalator pakietu [WixBundleName]</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Potrzebujemy tylko pow.oki, edytora tekstu i 10 minut czasu.....Wszystko gotowe? Zaczynamy!</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Poprzednia wersja</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive | /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietla

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\1046\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6001
                                                                                                                                                                                                Entropy (8bit):5.199792832400898
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTfdWJGl2UsZMPHR2dj5VvvQjZ+zyhXLxgbNrxWHo:OA0+xU1VvvQKOI
                                                                                                                                                                                                MD5:1D5A1D142DDD01A0C8C31C97CEE49404
                                                                                                                                                                                                SHA1:5C9032FE5025D0BC53171ED103DA9AE1F672954D
                                                                                                                                                                                                SHA-256:D5CE147613ED4A06ACCE581D5B92A8E8CB828A614CAF8A4B4F8A9D301FAADB7C
                                                                                                                                                                                                SHA-512:26E705575951B1EEA98B066D0BBEB02FCF3A6EFC686E74E8616E372FBB55C54AC935CF665CC5047B7C6C835E4F7DC0E201DD7B0455F0A54FC437A3A1B02003B5
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalador do [WixBundleName]</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Voc. s. precisa de um shell, um editor de texto e 10 minutos de seu tempo.....Tudo pronto? Ent.o, vamos nessa!</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Vers.o anterior</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [diret.rio] - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive | /quiet - exibe a interface do usu.rio m.nima sem nenhum prompt ou n.o exibe nenhuma interface do usu.rio e.. nenhum prompt. Por padr.o, a interface do usu.rio

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\1049\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):7918
                                                                                                                                                                                                Entropy (8bit):5.450378547921216
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTdqaIgo/hyoJ88k193ip5gVvuuiu+q503GlEydoLG65bVg2XJ:+R9Zyip5gVGuiu+fW8Lfv
                                                                                                                                                                                                MD5:6045C0AD89F05F16C4C89164E30D7E24
                                                                                                                                                                                                SHA1:05CC19BBC915367A3729708B6F4E9928239391E4
                                                                                                                                                                                                SHA-256:7B6618E4AC81EC72B6A7C22D24D52B750817D16D4B3D4174F24254B43415D50E
                                                                                                                                                                                                SHA-512:89066D8A9018FBCEEA51D19AA591865327C0151F05386A93A9932009A6312B6D6045402DA2136C4FE0371DA296315C569110577EB76D06650588F9136C963FB4
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">.......... [WixBundleName]</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">... ......... ...... ........, ......... ........ . 10 ..... ..................? ..... .........!</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">.......... ......</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [.......] . ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... . ....

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\1055\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6107
                                                                                                                                                                                                Entropy (8bit):5.340937177058942
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTIKh5C6PHcIflKNTPgdi1mTWugzjKjJUSyJpx3APdbHQR:RdKNrmTWu6jKjCgE
                                                                                                                                                                                                MD5:65C296F0B153BCDFA4C4ED4F11A612F7
                                                                                                                                                                                                SHA1:18603ADACE54E4FF53D5D278815B64C037456C4E
                                                                                                                                                                                                SHA-256:C011CC5067F9D8707C45B411280E1987E239D7190E0B99F51EA8EC4A49C7A8E4
                                                                                                                                                                                                SHA-512:F56027BE10AA886C0FB45717C8276E6BFCA4BE6627C0BB9706B45AB41574511F6D2F719FF9E32CB3E11EEA944B38EDB2940059D53C47369A493C04DCF7963492
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Y.kleyicisi</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Yaln.zca bir kabu.a, bir metin d.zenleyicisine ve 10 dakikal.k bir zamana ihtiyac.n.z var.....Haz.r m.s.n.z? Haydi ba.layal.m!</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">.nceki s.r.m</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive | /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\2052\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):5527
                                                                                                                                                                                                Entropy (8bit):6.216354276018148
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTsnfsdy5kQR9GLkE0tkBq1bLZ6gWogUtmN3B5DQKaVc/Y0b1jITwo:KJ9oq1bLZ6UgMmN3ccIP
                                                                                                                                                                                                MD5:519420F88368C70A1C193BCE22B1D0C6
                                                                                                                                                                                                SHA1:C183E79EEEAC61F763F0C3FFAE23EE4FE1B128A3
                                                                                                                                                                                                SHA-256:E12D4F73C7D38A4961F54BBFCBFD8CBCDC94B0ED60C660CECEDCED6C09A63508
                                                                                                                                                                                                SHA-512:D68542475D4E5D26AD9EEFD0960A0BFE46AEE523513AB9112347293B0C3F9708AC1490954C7A66DD2776D19C819D93F997092DCE8F74D0611CF1803A2F9F0A8E
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">...... shell............ 10 ..............? ...? ......!</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">....</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [..] - .......... ..................Install ........../passive | /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ...............

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\3082\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6044
                                                                                                                                                                                                Entropy (8bit):5.110481885392164
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JTyDAMLILaisbyxwz9sgIq27jIk3jnTPjO1Eu2H2i/XrKkbZzpu:OnCL7kMjnTjO10xVu
                                                                                                                                                                                                MD5:89BA9B90D627C4C0543A4441B4BDB2F6
                                                                                                                                                                                                SHA1:3DA9571BD155E8B671CFE258A97B886185273989
                                                                                                                                                                                                SHA-256:14EC5FA5D80DF55D857B591DE3BF34F49F63258DF31AA5A9410005866A11BD09
                                                                                                                                                                                                SHA-512:B78731A4CE7B0482C3B3AAA9434404DF0320E26A4ED3DA7E364E0F5EEFAEA79A9944D366FE5B77CF84F1F38600D52E25F00F90A7E729BC8428FE2923153CE17D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalador de [WixBundleName]</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">Solo necesita un shell, un editor de texto y 10 minutos......Preparados? .Listos? .Ya!</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Versi.n anterior</String>.. <String Id="HelpHeader">Ayuda del programa de instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. Install es la opci.n predeterminada...../passive | /quiet - muestra una IU m.nima sin peticiones, o bien no muestra la IU .. ni las peticiones. De forma predeterminada, se muestran la IU y to

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\BootstrapperApplicationData.xml

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (564), with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):6286
                                                                                                                                                                                                Entropy (8bit):3.7655208455506437
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:XeV2VS/V2Vvun6PCiZW0wsycRZfn63Ajjy0w0ycxan6L/i0wQyc8UbS2rSgK+rP9:X0sesvuUVEWfcAnPMIaonINm5slM
                                                                                                                                                                                                MD5:3DEDEB6F369642B6FB2434354683CBDB
                                                                                                                                                                                                SHA1:8B508F15F882AC042D9445BFC24412F83D2869B8
                                                                                                                                                                                                SHA-256:0EFF834D91F787E9FCC076A53D69034D1F99817E55A40AD1DFBDF14BB2A05687
                                                                                                                                                                                                SHA-512:9E1DE71C87A209D779070DED84403F7FBBA1EE19708AEF59C2EB696C8FD82D9C83171493718010B13CA429BCF0CAEB6690A010DD327321CB0F062D5977DE98B9
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".(.(.V.e.r.s.i.o.n.N.T. .&.g.t.;. .v.6...1.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.6...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).).". .M.e.s.s.a.g.e.=.".#.(.l.o.c...F.a.i.l.u.r.e.N.o.t.S.u.p.p.o.r.t.e.d.C.u.r.r.e.n.t.O.p.e.r.a.t.i.n.g.S.y.s.t.e.m.).". ./.>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T.6.4.". .M.e.s.s.a.g.e.=.".#.(.l.o.c...F.a.i.l.u.r.e.N.o.t.S.u.p.p.o.r.t.e.d.X.8.6.O.p.e.r.a.t.i.n.g.S.y.s.t.e.m.).". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .R.u.n.t.i.m.e. .-. .8...0...8. .(.x.6.4.).". .L.o.g.P.a.t.h.V.

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\bg.png

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:PNG image data, 620 x 418, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):4601
                                                                                                                                                                                                Entropy (8bit):6.635104571353389
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:u+Xg+NXWbdlIr33lx9W5OstaDIy3r5XpPyvZKmXYTDeiByNxcaaaaaaaaaaaaaaE:AaXWPIrHT932JsdpPyjqDeioatEn
                                                                                                                                                                                                MD5:9EB0320DFBF2BD541E6A55C01DDC9F20
                                                                                                                                                                                                SHA1:EB282A66D29594346531B1FF886D455E1DCD6D99
                                                                                                                                                                                                SHA-256:9095BF7B6BAA0107B40A4A6D727215BE077133A190F4CA9BD89A176842141E79
                                                                                                                                                                                                SHA-512:9ADA3A1757A493FBB004BD767FAB8F77430AF69D71479F340B8B8EDE904CC94CD733700DB593A4A2D2E1184C0081FD0648318D867128E1CB461021314990931D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.PNG........IHDR...l.........Z..|....sRGB.........gAMA......a.....pHYs..........o.d... IDATx^..}.].]...}...&..+.Ij.D..qp.b.......v(....h.[...E|.:.+.h..N...V.....`K.....BR.[....l...z_=.....K..n.....o...s.=.nf.s.9'........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N~.......S.Y.v.>{A......S?..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..H.`..

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\eula.rtf

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):47889
                                                                                                                                                                                                Entropy (8bit):5.0783959060546975
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:768:32Kfuh/+YpJLdfxL1/pZ1ApGXjn8lcNLSx0:3Shj9bXQ0
                                                                                                                                                                                                MD5:CC06442CFC33D0AE6509143325C05110
                                                                                                                                                                                                SHA1:FC635958A57B88F63545CBEE1A37E3458CC547B0
                                                                                                                                                                                                SHA-256:72F2E7B06C562F1DD6CB3F6EFDCCD9AE620A183E598856AB3CBA6D712254824A
                                                                                                                                                                                                SHA-512:4D8A79347104501D89150A738DE24F700DC5D54D7CB05359C853A1189BF12B42E53B9E0B0D4A963C6AAA027D46D80A01AB2740BEE5D145C3597F1A7EFB48D4A9
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0302020204030204}Calibri Light;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Tim

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\thm.wxl

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):5666
                                                                                                                                                                                                Entropy (8bit):5.135580298015055
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:JT0abTxmup/vrCKATQdYQHdYCwgoVOBq9L05kbSED:XQNkdYQHdYCYa+D
                                                                                                                                                                                                MD5:34D0C531EED48550BE3D877290AD2553
                                                                                                                                                                                                SHA1:7983955032F9E7D2EE72CABC644A14C892A92289
                                                                                                                                                                                                SHA-256:0D2ABDE2E4974CC8B7231F017975180D67592EE6D3418CD6DC52E2BC4BF03E50
                                                                                                                                                                                                SHA-512:0C9D916AC420C6A27E723D8BAB2DB80372CC6303C79A6E1C3B2BD462711B711F2CC45FAE43CEB2CE603708C884B0EC6BB7217981EF2A03E0FC3E6C6916716E7A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Installer</String>.. <String Id="Title">[BUNDLEMONIKER]</String>.. <String Id="Motto">You just need a shell, a text editor and 10 minutes of your time.....Ready? Set? Let's go!</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Previous version</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will pro

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\thm.xml

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):11313
                                                                                                                                                                                                Entropy (8bit):5.159333682138518
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:eCdhlFGZRd4UyAi0Rz96zYFGiRdl6dXXdT9gUoLNEmRG3QBinRFRK03K8+GGI9k4:eCSfiozkI/A
                                                                                                                                                                                                MD5:03CF60952E7B59460FD22807E8CB28E1
                                                                                                                                                                                                SHA1:5F4454019C5F33059AE53522FFB534EEF815A5F5
                                                                                                                                                                                                SHA-256:AF7C42AC777B45751763BCEAF8604FA5B842B096DA4D1370158A1C3422713555
                                                                                                                                                                                                SHA-512:BFB3C642759522CD4FD8C784909E97C38E6C44CCED11D70167D0E243D8DA12555A94AA2CD9978745849FA5233A1915485D3E1CB011D985C92A115E44A11B7140
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="660" Height="468" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="900" Foreground="FFFFFF" Background="D42B51">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.. <Font Id="5" Height="-14" Weight="500" Foreground="444444">Segoe UI</Font>.... <Text Name="Title" X="11" Y="11" Width="-11" Height="64" FontId="1" Visible="yes" Center="yes" DisablePrefix="yes">#(loc.Title)</Text>.... <Page Name="Help">.. <Text X="0" Y="0" Width="620" Height="75" FontId="1" />..

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\wixstdba.dll

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):220512
                                                                                                                                                                                                Entropy (8bit):6.754483649907534
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:K6EZdi6e93SuDeTKZxQfsRy26BqbUHYJe:K62i6eNSYeuZ2sRDK
                                                                                                                                                                                                MD5:F68F43F809840328F4E993A54B0D5E62
                                                                                                                                                                                                SHA1:01DA48CE6C81DF4835B4C2ECA7E1D447BE893D39
                                                                                                                                                                                                SHA-256:E921F69B9FB4B5AD4691809D06896C5F1D655AB75E0CE94A372319C243C56D4E
                                                                                                                                                                                                SHA-512:A7A799ECF1784FB5E8CD7191BF78B510FF5B07DB07363388D7B32ED21F4FDDC09E34D1160113395F728C0F4E57D13768A0350DBDB207D9224337D2153DC791E1
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........N............e......e..............................e......e......e..............*.......*.......*.d.............*.......Rich............PE..L......e...........!.........................0...............................@............@.............................................................`W... ..x.......T...........................8...@............0..X............................text............................... ..`.rdata.......0....... ..............@..@.data...............................@....rsrc...............................@..@.reloc..x.... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):650576
                                                                                                                                                                                                Entropy (8bit):7.1821161714009305
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:v3mgqnIZuYfCYqFet4CovkM7XtZnEdckfNH2t2hQxP5:v3WnIZuMCxezot7dF/95
                                                                                                                                                                                                MD5:C0CBF8F15105720847041131C8C45598
                                                                                                                                                                                                SHA1:8BF4AD72E787F557114347654EE9164892A09EC3
                                                                                                                                                                                                SHA-256:25F18502EF7C8FD93D93799C6ACB20AF1622FD89084151BB19FF44182AC4C817
                                                                                                                                                                                                SHA-512:EA97D69E05F6828A3D31A0161A43A135C76AB99674EB16938B8A3746ABAD4207854CE4B6D9AE9376D64320BE6C6D71E90FB0724937106AE7044AFD667F0929F5
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<..........................PE..L......e..........................................@......................................@.............................................:..............@)...P...>.....T...................4........F..@...................T........................text...>........................... ..`.rdata..&...........................@..@.data...<...........................@....wixburn8...........................@..@.rsrc....:.......<..................@..@.reloc...>...P...@..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\dotnet_host_8.0.8_win_x64.msi

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host - 8.0.8 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host - 8.0.8 (x64)., Template: x64;1033, Revision Number: {364B6B15-82BE-426F-A13C-DD7A2B6B2EA4}, Create Time/Date: Tue Jul 16 22:41:10 2024, Last Saved Time/Date: Tue Jul 16 22:41:10 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):798720
                                                                                                                                                                                                Entropy (8bit):6.549856617597805
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:uVOm7qU8VKIvZUlkj/cBhZeK4lu/XdmYw+:uMm7HWvZgkjcDefMFmA
                                                                                                                                                                                                MD5:D7A4563316F82FAC2C537B5A040F5039
                                                                                                                                                                                                SHA1:6A25647F3296F4A328A2EDB1A82BD2FAA1D3FCE8
                                                                                                                                                                                                SHA-256:BA926ABCF18FEBAF15395A58328B92AC8C4EB2B335060B46A560280C8C1B6DA0
                                                                                                                                                                                                SHA-512:32160AFCF8F7A066AEDD4FC3449E1B8C6F104861FC9606E99E7AF9593AFA726895B04AA05F609E3CE8EEDD4464EF5C25436932B1E97E14FF59574D70F4B1CECF
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\dotnet_hostfxr_8.0.8_win_x64.msi

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host FX Resolver - 8.0.8 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host FX Resolver - 8.0.8 (x64)., Template: x64;1033, Revision Number: {BB639B51-1725-47F5-9229-90393A63E483}, Create Time/Date: Tue Jul 16 22:42:00 2024, Last Saved Time/Date: Tue Jul 16 22:42:00 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):868352
                                                                                                                                                                                                Entropy (8bit):6.7406278086618885
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:12288:0tR4NlbhqU8VKIvZUlkj/cBhZeK4lu/XdmYwA:o6NldHWvZgkjcDefMFmq
                                                                                                                                                                                                MD5:53076072D81680ECBA82EA7648B204F0
                                                                                                                                                                                                SHA1:7A6DFC6EEF94A13D9F032040858EB2D5AA1D34F3
                                                                                                                                                                                                SHA-256:D63FB20F6B8D13D75B3E633DF7FB127721CAF5536963D66659FF29A5D3659F8C
                                                                                                                                                                                                SHA-512:0A8B019221CCFA4DEEF0D07245EFA0F578B9CCD24E24AEF87F5D9F56FC38067AB55A767179441978FAD340E8EC5B60EAC2C3F282247FBDCDD03980373D31513D
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\dotnet_runtime_8.0.8_win_x64.msi

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 8.0.8 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 8.0.8 (x64)., Template: x64;1033, Revision Number: {6AF517CA-B141-429F-9C4F-3B284175B717}, Create Time/Date: Tue Jul 16 22:42:12 2024, Last Saved Time/Date: Tue Jul 16 22:42:12 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):27648000
                                                                                                                                                                                                Entropy (8bit):7.99421368126692
                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                SSDEEP:393216:ng9KX0wCCa0yBBY2aUHkFkY3CHGaUKfi7KIyJ8+HLU4jm0z89CAuWoNzMHPdXpey:nUJ0yBnlk73csb7r+HLU4jHtYNdXbFF
                                                                                                                                                                                                MD5:F9D8FE368CBFA5731BEFC3698E9B109D
                                                                                                                                                                                                SHA1:AA5E1A3E6B3CEB6777376AF84C13E27690BE0CAC
                                                                                                                                                                                                SHA-256:38417C07721A97631B0B7780C0EB6544F08B3F611BDB95CEBCE1407F96E726A2
                                                                                                                                                                                                SHA-512:AF1E521A863CD56B3471F4EDC2C15E7F4332D5C6B7274EDF21DF2C79CE0AE0E3A21D6F37B32F2B61ED121078994333A749CFDE5663F4C25D4DA2F4B6FA4F7C0B
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF0B16E14A5A1FAE0A.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF134E6B0CD2CBF1F8.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF1DFE784762EB27ED.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF1F150723D78B3E5A.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):69632
                                                                                                                                                                                                Entropy (8bit):0.13415705954573776
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:24:e9pn01EuipVGndYipV5nd/EVqUrgNlGqQbQk54+q+dMClzTK+N:e9501EuSsndYSjnd/EgvUbQfKdNTlN
                                                                                                                                                                                                MD5:14ABD8BF9EF81CAD69BFB0A010FBE813
                                                                                                                                                                                                SHA1:D0005CB37F17E32D3CF5950A634E5E1EF655A427
                                                                                                                                                                                                SHA-256:B0B91E247B8EA9809E555563AB419A59F6A87A897069F0A4942273FDA4C82AFA
                                                                                                                                                                                                SHA-512:C73EE4ABA81238AFFB2E1C3ED2F9546EECECE9453B95C1B5F887552F4F398E48AC11EAB7BEE93BFA004D17B3CD86DE63CBD456DCFBE270A5A2DBBD42D9B2B2E3
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF1F6CC2DC66AD84E2.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF26640A7013D579B3.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF392149952F61CF3F.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF3AEF955D3EBC01C8.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF434BF9D5B8C040A2.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF44177C0B3D615041.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF576865CD66C7D47C.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                Entropy (8bit):1.2613151155671836
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:UFGu6th8FXz5T5txdAblNOjeSjndd4d/EgvUbQqSsndd4dXE1ZRI:4Go3TXcPOS9B8Nv
                                                                                                                                                                                                MD5:F809C17B46EF87E230384AA065E3041D
                                                                                                                                                                                                SHA1:0F17542CAC4568191A4F183F12D004BD7E8AB865
                                                                                                                                                                                                SHA-256:1120FB7B39131128EAF7BF1E73E1FC1A76CE99FA206DF97298AFD202B8310B00
                                                                                                                                                                                                SHA-512:42ADEF204BE28F985425474422ED1F9DE0701A1006FE361EC0368F9CFD3C9A26FB5ADC2652315444BF1A9817040FF33C691F723CA4422D2280ED0907586CB2A4
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF580BDF8E84C80488.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                Entropy (8bit):1.2585141073670076
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:rJfGu6th8FXzzT5tpgdtRlgWSjndddwEgvUbQ6SsndddSE1Zdl:RGoNTmtRyWfB8NFv
                                                                                                                                                                                                MD5:DF40A966FC7FEAEE17D7E0AC7642864B
                                                                                                                                                                                                SHA1:7FC9C01F88A3378071CF047A1130162455ECEDA5
                                                                                                                                                                                                SHA-256:1FADB9F06B5E0B7AD5218C1BEDE10720576DCCAEBAFFD6C24843EF256B263D80
                                                                                                                                                                                                SHA-512:E8E6A4B0FC20D0BE063F3A515D84DA9F36BFC728918D93DA6979E0833FB0484977D912DE2ADBC8FCEE78800FB93811AB583E0817497F2EABCB52C80DF982FE9C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF5D2EEB303406B68E.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF6BD849738B2040D7.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF6DE50705DBE18C6B.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                                Entropy (8bit):1.5740193846477335
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:38PhOuRc06WXziFT5BgdtRlgWSjndddwEgvUbQ6SsndddSE1Zdl:2hO1nFTQtRyWfB8NFv
                                                                                                                                                                                                MD5:908AD07D0AEB8A70E202856BFC3627A4
                                                                                                                                                                                                SHA1:18E49BB89006CC8F482140B747CD9E3727BEB089
                                                                                                                                                                                                SHA-256:DC64F22820571F4E8DBED8E111299A87B7FA28545FFA47097A3C34444F67A69F
                                                                                                                                                                                                SHA-512:37B085EBA64CA591F78E20FCDE588A913666CD1782BB87EB1F6AA22369FBAC87F43950BFEE1EFA4A5E76E405050E97550360D0AF0653E790E5497CA259FEDD33
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF6EF164FC4DE6C8FA.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                                Entropy (8bit):1.5740193846477335
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:38PhOuRc06WXziFT5BgdtRlgWSjndddwEgvUbQ6SsndddSE1Zdl:2hO1nFTQtRyWfB8NFv
                                                                                                                                                                                                MD5:908AD07D0AEB8A70E202856BFC3627A4
                                                                                                                                                                                                SHA1:18E49BB89006CC8F482140B747CD9E3727BEB089
                                                                                                                                                                                                SHA-256:DC64F22820571F4E8DBED8E111299A87B7FA28545FFA47097A3C34444F67A69F
                                                                                                                                                                                                SHA-512:37B085EBA64CA591F78E20FCDE588A913666CD1782BB87EB1F6AA22369FBAC87F43950BFEE1EFA4A5E76E405050E97550360D0AF0653E790E5497CA259FEDD33
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF77FACD4D92D7AC97.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF7A72236BFA5DD555.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                                Entropy (8bit):1.5442643181293072
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:r8PhTuRc06WXziFT5CdNTlNicSjnd/EgvUbQSSsnd/E1Z5F:ShT1nFTcNTPicIB8NwL
                                                                                                                                                                                                MD5:F819CD0D9A3CBF1ED58C86082ED4B9CB
                                                                                                                                                                                                SHA1:1F5D50A5197E4F8DA7BC59DE21D5E71873E2F690
                                                                                                                                                                                                SHA-256:E80078AC78A5E7CFE9B759231671D4BC85BFA2C32609FD6545755F14CE728B3D
                                                                                                                                                                                                SHA-512:FC117B48B79B2CF027D9487EF01FC5FF72D5FFF19CDCA52F01C59CD5DCB7F47F0A77ED9D4F440300FC0A76AA5FBD8F606F609969DC06879922E9E59ECE967410
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF7D7DEA4A2B88A632.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                Entropy (8bit):1.2585141073670076
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:rJfGu6th8FXzzT5tpgdtRlgWSjndddwEgvUbQ6SsndddSE1Zdl:RGoNTmtRyWfB8NFv
                                                                                                                                                                                                MD5:DF40A966FC7FEAEE17D7E0AC7642864B
                                                                                                                                                                                                SHA1:7FC9C01F88A3378071CF047A1130162455ECEDA5
                                                                                                                                                                                                SHA-256:1FADB9F06B5E0B7AD5218C1BEDE10720576DCCAEBAFFD6C24843EF256B263D80
                                                                                                                                                                                                SHA-512:E8E6A4B0FC20D0BE063F3A515D84DA9F36BFC728918D93DA6979E0833FB0484977D912DE2ADBC8FCEE78800FB93811AB583E0817497F2EABCB52C80DF982FE9C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF9A1D4C1731481882.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF9C2BB84FEFFC009B.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                                Entropy (8bit):1.5442643181293072
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:r8PhTuRc06WXziFT5CdNTlNicSjnd/EgvUbQSSsnd/E1Z5F:ShT1nFTcNTPicIB8NwL
                                                                                                                                                                                                MD5:F819CD0D9A3CBF1ED58C86082ED4B9CB
                                                                                                                                                                                                SHA1:1F5D50A5197E4F8DA7BC59DE21D5E71873E2F690
                                                                                                                                                                                                SHA-256:E80078AC78A5E7CFE9B759231671D4BC85BFA2C32609FD6545755F14CE728B3D
                                                                                                                                                                                                SHA-512:FC117B48B79B2CF027D9487EF01FC5FF72D5FFF19CDCA52F01C59CD5DCB7F47F0A77ED9D4F440300FC0A76AA5FBD8F606F609969DC06879922E9E59ECE967410
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF9F712CE02E6BBD44.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                Entropy (8bit):1.2613151155671836
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:UFGu6th8FXz5T5txdAblNOjeSjndd4d/EgvUbQqSsndd4dXE1ZRI:4Go3TXcPOS9B8Nv
                                                                                                                                                                                                MD5:F809C17B46EF87E230384AA065E3041D
                                                                                                                                                                                                SHA1:0F17542CAC4568191A4F183F12D004BD7E8AB865
                                                                                                                                                                                                SHA-256:1120FB7B39131128EAF7BF1E73E1FC1A76CE99FA206DF97298AFD202B8310B00
                                                                                                                                                                                                SHA-512:42ADEF204BE28F985425474422ED1F9DE0701A1006FE361EC0368F9CFD3C9A26FB5ADC2652315444BF1A9817040FF33C691F723CA4422D2280ED0907586CB2A4
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DF9FFE66A1D53D8B17.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                Entropy (8bit):1.2613151155671836
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:UFGu6th8FXz5T5txdAblNOjeSjndd4d/EgvUbQqSsndd4dXE1ZRI:4Go3TXcPOS9B8Nv
                                                                                                                                                                                                MD5:F809C17B46EF87E230384AA065E3041D
                                                                                                                                                                                                SHA1:0F17542CAC4568191A4F183F12D004BD7E8AB865
                                                                                                                                                                                                SHA-256:1120FB7B39131128EAF7BF1E73E1FC1A76CE99FA206DF97298AFD202B8310B00
                                                                                                                                                                                                SHA-512:42ADEF204BE28F985425474422ED1F9DE0701A1006FE361EC0368F9CFD3C9A26FB5ADC2652315444BF1A9817040FF33C691F723CA4422D2280ED0907586CB2A4
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DFA1ED34DC21A786CB.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DFA343C0F78EF10C48.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                                Entropy (8bit):1.578482052600408
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:o8PhOuRc06WXzEFT5JdAblNOjeSjndd4d/EgvUbQqSsndd4dXE1ZRI:3hO15FTNcPOS9B8Nv
                                                                                                                                                                                                MD5:4A3F9ECEF1043E5F4C2AF4C2F2A29D9C
                                                                                                                                                                                                SHA1:AD4A6C727FD094E6DF608319B3DCF16463AEDB53
                                                                                                                                                                                                SHA-256:7325D3B7EC948C97F1D2BAF4D0B2BE44E86020A9C6E12E722ACBFBBDE94488F6
                                                                                                                                                                                                SHA-512:BD34F591793D0F640F430A3B9F802E45535CB26B29FE12A8B8FB97E947DC3BA80367C22E321522511F92B09BA090B2EACA9DEE85E25EE3E40F53ED18FD1A0C42
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DFAE3FA61A02C3FE55.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):69632
                                                                                                                                                                                                Entropy (8bit):0.14786025834456604
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:B1R01EuSsndd4dASjndd4d/EgvUbQWeOdAblN:zC/9B8wycP
                                                                                                                                                                                                MD5:526AD9946E42063E035E2070A949265B
                                                                                                                                                                                                SHA1:B05912FD64E04EF060DF399F91C69E82254D1055
                                                                                                                                                                                                SHA-256:CEFFA318D6C4D37280EF8F2B86B26D197FE3DCC4D2113C2C73BD7E2EC91F0B6D
                                                                                                                                                                                                SHA-512:5202F65FAF3A30E6FB53A1958C12B8306B84BEFE37F2B5AA10FEE38E512B29B236D91E85BFB4AE27F141C9CBF2A4342FFD9F4B21F57B300F71AC9AD5BFADE72F
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DFAFD97EFC8DA9FB0C.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                Entropy (8bit):1.2364556889500369
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:PaLu/th8FXzzT5ddNTlNicSjnd/EgvUbQSSsnd/E1Z5F:yLTNTJNTPicIB8NwL
                                                                                                                                                                                                MD5:361410811FB63096E72347CF96776DE2
                                                                                                                                                                                                SHA1:97285A66572D3BF9992C1DC985BAC69EAA21BABB
                                                                                                                                                                                                SHA-256:E965B3EC03C2831BC687E6AE271AF0FCFC943A640F895052541CBA9583325687
                                                                                                                                                                                                SHA-512:8F5346D4AEABF03061547CE855A5DC115B490C9021C9617339EB818F726EAC31C6E18E35A3B8C9A80602AD4D52CD8729E2947D7EA52BEB6703CAF0FE71DA2DD3
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DFB68223A9F8904BCD.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                Entropy (8bit):1.2364556889500369
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:PaLu/th8FXzzT5ddNTlNicSjnd/EgvUbQSSsnd/E1Z5F:yLTNTJNTPicIB8NwL
                                                                                                                                                                                                MD5:361410811FB63096E72347CF96776DE2
                                                                                                                                                                                                SHA1:97285A66572D3BF9992C1DC985BAC69EAA21BABB
                                                                                                                                                                                                SHA-256:E965B3EC03C2831BC687E6AE271AF0FCFC943A640F895052541CBA9583325687
                                                                                                                                                                                                SHA-512:8F5346D4AEABF03061547CE855A5DC115B490C9021C9617339EB818F726EAC31C6E18E35A3B8C9A80602AD4D52CD8729E2947D7EA52BEB6703CAF0FE71DA2DD3
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DFBEE73DE7FF31C06F.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                Entropy (8bit):1.2585141073670076
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:rJfGu6th8FXzzT5tpgdtRlgWSjndddwEgvUbQ6SsndddSE1Zdl:RGoNTmtRyWfB8NFv
                                                                                                                                                                                                MD5:DF40A966FC7FEAEE17D7E0AC7642864B
                                                                                                                                                                                                SHA1:7FC9C01F88A3378071CF047A1130162455ECEDA5
                                                                                                                                                                                                SHA-256:1FADB9F06B5E0B7AD5218C1BEDE10720576DCCAEBAFFD6C24843EF256B263D80
                                                                                                                                                                                                SHA-512:E8E6A4B0FC20D0BE063F3A515D84DA9F36BFC728918D93DA6979E0833FB0484977D912DE2ADBC8FCEE78800FB93811AB583E0817497F2EABCB52C80DF982FE9C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DFC6D1FD84C68C1FE2.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                Entropy (8bit):0.0790302324845693
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO4kEF3jLXL9IveIVky6lMt/:2F0i8n0itFzDHF4kIPXuvQM1
                                                                                                                                                                                                MD5:D8881D8484A66AF8AEF6617E69F6EBE3
                                                                                                                                                                                                SHA1:2C682EFF4AA9046173A3CA1951C893AC0404DAAD
                                                                                                                                                                                                SHA-256:37ACAEBD9FE91209B05C52615F9B76BF30004B303E31AAB8E2972847029C7150
                                                                                                                                                                                                SHA-512:940E5F277B65F4E494E919BEDD9C9721CA52C5B811350825903387D4C280DB97EBD77803E57F6135EC89B46388C07E12E797DFF81C7F186E58258B2DEC26A8B3
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DFD3E21F0574C3E66A.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DFDE5EB07D5720F730.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                                Entropy (8bit):1.578482052600408
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:o8PhOuRc06WXzEFT5JdAblNOjeSjndd4d/EgvUbQqSsndd4dXE1ZRI:3hO15FTNcPOS9B8Nv
                                                                                                                                                                                                MD5:4A3F9ECEF1043E5F4C2AF4C2F2A29D9C
                                                                                                                                                                                                SHA1:AD4A6C727FD094E6DF608319B3DCF16463AEDB53
                                                                                                                                                                                                SHA-256:7325D3B7EC948C97F1D2BAF4D0B2BE44E86020A9C6E12E722ACBFBBDE94488F6
                                                                                                                                                                                                SHA-512:BD34F591793D0F640F430A3B9F802E45535CB26B29FE12A8B8FB97E947DC3BA80367C22E321522511F92B09BA090B2EACA9DEE85E25EE3E40F53ED18FD1A0C42
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DFE1962D2AC67F490E.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                Entropy (8bit):0.0791201275397048
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOHhtIC5a8L7SIVky6lMt/:2F0i8n0itFzDHFHhyCl7UM1
                                                                                                                                                                                                MD5:4FE8B129900624EF40198767E7680A30
                                                                                                                                                                                                SHA1:1B175162C8DB95B9B851F442181F80483E7E1AF4
                                                                                                                                                                                                SHA-256:5A1EF9104B7DCBE0BF3C1BC8E7D86DCDBCE11F34C10D668BF6CC18AFB9189EE4
                                                                                                                                                                                                SHA-512:CCB637EF3623FF47F22B315D5A609EA482F19E5562FFC299660FD35E6D2D60F0593EB049413296C67E6E8F1C87124D714F9B4F77BF7D4431E4ECBC4753679855
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DFEF30492BFEE98C95.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):69632
                                                                                                                                                                                                Entropy (8bit):0.14660795393692438
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:sHdk1EuSsndddPSjndddwEgvUbQbwdtRlx:sHW9fB8aotR
                                                                                                                                                                                                MD5:79944C3D49F1B5072681B27D9F490BD6
                                                                                                                                                                                                SHA1:399EDB921928E97617B6EBC20AFEDDF5A1D02B03
                                                                                                                                                                                                SHA-256:4F125DF8044921F892E48202666EA3F70D5533F26EC0F770A20443D3E0990978
                                                                                                                                                                                                SHA-512:E6304512430A1879B3869F9F9141B544E106238EF55B0F1081FC7C8DAF2C7680CD55C5B56634DFE18118B63AECEF951C021A42377E6922ABD59A4563598E38CF
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DFF241D58FCDB827A8.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                Entropy (8bit):0.07763395995496639
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOP5WKMsUUpbLPF4iVky6l51:2F0i8n0itFzDHFP50sU2ndir
                                                                                                                                                                                                MD5:4550D53D8C8B47CA7E5EDEB16DFCF2A0
                                                                                                                                                                                                SHA1:A5A83DE808E87F4AE813A8500F68D941309808A9
                                                                                                                                                                                                SHA-256:81C161DBBCE4A21A507B2546F24BA701BE2942CADF806A8AE60C378BC17F0A4B
                                                                                                                                                                                                SHA-512:B3303576E603A14642AA9566A4AEAA5B83F2707C848A194FA1B3B8A44B80F2562E593B93BC6B6B74A1606D9C80CA0A369D04636F4041B17FD82A942CD4C8D4CE
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                C:\Windows\Temp\~DFF54363FFF423948D.TMP

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                Entropy (8bit):1.2364556889500369
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:PaLu/th8FXzzT5ddNTlNicSjnd/EgvUbQSSsnd/E1Z5F:yLTNTJNTPicIB8NwL
                                                                                                                                                                                                MD5:361410811FB63096E72347CF96776DE2
                                                                                                                                                                                                SHA1:97285A66572D3BF9992C1DC985BAC69EAA21BABB
                                                                                                                                                                                                SHA-256:E965B3EC03C2831BC687E6AE271AF0FCFC943A640F895052541CBA9583325687
                                                                                                                                                                                                SHA-512:8F5346D4AEABF03061547CE855A5DC115B490C9021C9617339EB818F726EAC31C6E18E35A3B8C9A80602AD4D52CD8729E2947D7EA52BEB6703CAF0FE71DA2DD3
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                \Device\ConDrv

                                                                                                                                                                                                Download File
                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\EtEskrivare.exe
                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):457
                                                                                                                                                                                                Entropy (8bit):4.9819756192650555
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6:vDXuEyVVzuIMFWVzYY28NEX0diAvqbzPy2A4G2GoW+S2u5ENUmOoy:SEQdMYWwNEODoPcMu5+9Ooy
                                                                                                                                                                                                MD5:7EFD64B94E927320CA8C4921ECF1BA31
                                                                                                                                                                                                SHA1:7604687F898A6DBD93681F34839AAC3A7F88BA59
                                                                                                                                                                                                SHA-256:45B7B244FE16E99A6F2EA3109238AF43FD89A91D78788E3E1931E656BF002BE5
                                                                                                                                                                                                SHA-512:A17AEFD74678D127FCBB55D01F8781373EFDFC148F3D73F8D7C6ADE0B56DC7811EEB8B55F05AA5FDFE6696E8B2370943508ACC4BAD8FC9B60127F644B4AAA24C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview:Output:....Error:..Add-Printer : The spooler service is not reachable. Ensure the spooler service is running...At line:3 char:9..+ Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT..+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_Printer:ROOT/StandardCimv2/MSFT_Printer) [Add-Printer], CimException.. + FullyQualifiedErrorId : HRESULT 0x800706ba,Add-Printer.. ....

                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                General

                                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                Entropy (8bit):7.999125256845531
                                                                                                                                                                                                TrID:
                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                File name:EtEskr.exe
                                                                                                                                                                                                File size:28'779'520 bytes
                                                                                                                                                                                                MD5:891a35ef9a4c3b463013b62f888b3927
                                                                                                                                                                                                SHA1:c1482dc6f5db6149374fccdf4fcdae76f9b362f2
                                                                                                                                                                                                SHA256:7f817123a5f3a6a0405f42f93c0213f5014043b42cb46b34430eeffe1a340e8c
                                                                                                                                                                                                SHA512:e236ea28a590495b32fadc5810d3c4c3f46173268294d910cddd403e369808d7e5cb0b14c283aab32c69b2a85967694dc535a80e837aebeeaf3727e8697d3bfa
                                                                                                                                                                                                SSDEEP:786432:5dXCgRAZVNlHKRkw7GattyHHBBJf5+5VGCXjTii+yv4mKP:rXCgkNg2KPAjp5+5VGUjui+ygmKP
                                                                                                                                                                                                TLSH:9B5733E2B8DB4243CD659F31B0BA847D223679F882F1869E1B0EBD7970C3361059D7A5
                                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b.@]...............2.....................0....@..........................`.............................................

                                                                                                                                                                                                File Icon

                                                                                                                                                                                                Icon Hash:69797d929693a825

                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                General

                                                                                                                                                                                                Entrypoint:0x401000
                                                                                                                                                                                                Entrypoint Section:.code
                                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                                DLL Characteristics:
                                                                                                                                                                                                Time Stamp:0x5D400562 [Tue Jul 30 08:52:50 2019 UTC]
                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                OS Version Major:4
                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                File Version Major:4
                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                Import Hash:5877688b4859ffd051f6be3b8e0cd533

                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                Instruction
                                                                                                                                                                                                push 000000ACh
                                                                                                                                                                                                push 00000000h
                                                                                                                                                                                                push 00418010h
                                                                                                                                                                                                call 00007F3A88CEDB21h
                                                                                                                                                                                                add esp, 0Ch
                                                                                                                                                                                                push 00000000h
                                                                                                                                                                                                call 00007F3A88CEDB1Ah
                                                                                                                                                                                                mov dword ptr [00418014h], eax
                                                                                                                                                                                                push 00000000h
                                                                                                                                                                                                push 00001000h
                                                                                                                                                                                                push 00000000h
                                                                                                                                                                                                call 00007F3A88CEDB07h
                                                                                                                                                                                                mov dword ptr [00418010h], eax
                                                                                                                                                                                                call 00007F3A88CEDA81h
                                                                                                                                                                                                mov eax, 00417088h
                                                                                                                                                                                                mov dword ptr [00418034h], eax
                                                                                                                                                                                                call 00007F3A88CF68A2h
                                                                                                                                                                                                call 00007F3A88CF660Eh
                                                                                                                                                                                                call 00007F3A88CF3508h
                                                                                                                                                                                                call 00007F3A88CF2D8Ch
                                                                                                                                                                                                call 00007F3A88CF281Fh
                                                                                                                                                                                                call 00007F3A88CF2599h
                                                                                                                                                                                                call 00007F3A88CF20BDh
                                                                                                                                                                                                call 00007F3A88CF183Dh
                                                                                                                                                                                                call 00007F3A88CEDE05h
                                                                                                                                                                                                call 00007F3A88CF5188h
                                                                                                                                                                                                call 00007F3A88CF3C30h
                                                                                                                                                                                                mov edx, 0041702Eh
                                                                                                                                                                                                lea ecx, dword ptr [0041801Ch]
                                                                                                                                                                                                call 00007F3A88CEDA98h
                                                                                                                                                                                                push FFFFFFF5h
                                                                                                                                                                                                call 00007F3A88CEDAA8h
                                                                                                                                                                                                mov dword ptr [0041803Ch], eax
                                                                                                                                                                                                mov eax, 00000200h
                                                                                                                                                                                                push eax
                                                                                                                                                                                                lea eax, dword ptr [004180B8h]
                                                                                                                                                                                                push eax
                                                                                                                                                                                                xor eax, eax
                                                                                                                                                                                                push eax
                                                                                                                                                                                                push 00000015h
                                                                                                                                                                                                push 00000004h
                                                                                                                                                                                                call 00007F3A88CF27E2h
                                                                                                                                                                                                push dword ptr [004180A0h]

                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1717c0xc8.data
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x1b5cd08.rsrc
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x174700x22c.data
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                Sections

                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                .code0x10000x37f00x38006c0f4094a5493360ae8c9032ef3a9f47False0.47140066964285715data5.608776130769213IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                .text0x50000xd2c20xd4001da643e4b1937b50550f9d9e8250428eFalse0.5114239386792453data6.558083729279072IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                .rdata0x130000x339d0x34004fb07923b0eb72c40319d48fd2d4f13fFalse0.8046123798076923data7.110640338733979IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                .data0x170000x172c0x12000e3ac9c294aabfae43ec258c53757520False0.3938802083333333data4.996833821638619IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                .rsrc0x190000x1b5cd080x1b5ce00dafe38c2a979b8bc37e881983dc0e729unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                Resources

                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                RT_ICON0x197c40x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5780141843971631
                                                                                                                                                                                                RT_ICON0x19c2c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.4864754098360656
                                                                                                                                                                                                RT_ICON0x1a5b40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.36444652908067543
                                                                                                                                                                                                RT_ICON0x1b65c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.3244813278008299
                                                                                                                                                                                                RT_ICON0x1dc040x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.23258148323098723
                                                                                                                                                                                                RT_ICON0x21e2c0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.2659426987060998
                                                                                                                                                                                                RT_ICON0x272b40x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.23489068740803026
                                                                                                                                                                                                RT_ICON0x3075c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.1472701999290193
                                                                                                                                                                                                RT_RCDATA0x40f840xc3data1.0564102564102564
                                                                                                                                                                                                RT_RCDATA0x410480x1b228e5data1.0003108978271484
                                                                                                                                                                                                RT_RCDATA0x1b639300x180data1.0286458333333333
                                                                                                                                                                                                RT_RCDATA0x1b63ab00x4ddata1.1428571428571428
                                                                                                                                                                                                RT_RCDATA0x1b63b000x15zlib compressed data1.380952380952381
                                                                                                                                                                                                RT_RCDATA0x1b63b180xadata1.8
                                                                                                                                                                                                RT_RCDATA0x1b63b240x969data1.004566210045662
                                                                                                                                                                                                RT_RCDATA0x1b644900xdedata1.0495495495495495
                                                                                                                                                                                                RT_RCDATA0x1b645700x1very short file (no magic)9.0
                                                                                                                                                                                                RT_RCDATA0x1b645740xf89ddata1.000408515987116
                                                                                                                                                                                                RT_RCDATA0x1b73e140x190ePGP Secret Sub-key -1.0017149984409106
                                                                                                                                                                                                RT_GROUP_ICON0x1b757240x76data0.7288135593220338
                                                                                                                                                                                                RT_VERSION0x1b7579c0x2ccdata0.5027932960893855
                                                                                                                                                                                                RT_MANIFEST0x1b75a680x2a0XML 1.0 document, ASCII text, with very long lines (672), with no line terminators0.5520833333333334

                                                                                                                                                                                                Imports

                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                MSVCRT.dllmemset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, memcpy, tolower, wcscat, malloc
                                                                                                                                                                                                KERNEL32.dllGetModuleHandleW, HeapCreate, GetStdHandle, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, GetExitCodeProcess, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetNativeSystemInfo, GetShortPathNameW, GetWindowsDirectoryW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, Sleep, GetProcAddress, GetVersionExW, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, TerminateProcess, SetUnhandledExceptionFilter, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, InterlockedCompareExchange, InterlockedExchange, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, DuplicateHandle, RegisterWaitForSingleObject
                                                                                                                                                                                                USER32.DLLCharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, DestroyWindow, GetWindowLongW, GetWindowTextLengthW, GetWindowTextW, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, EnableWindow, GetSystemMetrics, CreateWindowExW, SetWindowLongW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
                                                                                                                                                                                                GDI32.DLLGetStockObject
                                                                                                                                                                                                COMCTL32.DLLInitCommonControlsEx
                                                                                                                                                                                                SHELL32.DLLShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
                                                                                                                                                                                                WINMM.DLLtimeBeginPeriod
                                                                                                                                                                                                OLE32.DLLCoInitialize, CoTaskMemFree
                                                                                                                                                                                                SHLWAPI.DLLPathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW

                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                No network behavior found

                                                                                                                                                                                                Statistics

                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                Behavior

                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                Start time:09:25:47
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\Users\user\Desktop\EtEskr.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\EtEskr.exe"
                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                File size:28'779'520 bytes
                                                                                                                                                                                                MD5 hash:891A35EF9A4C3B463013B62F888B3927
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:2
                                                                                                                                                                                                Start time:09:25:49
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:"C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp\4C82.bat C:\Users\user\Desktop\EtEskr.exe"
                                                                                                                                                                                                Imagebase:0x7ff70a1e0000
                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                Start time:09:25:49
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                Imagebase:0x7ff70f010000
                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:4
                                                                                                                                                                                                Start time:09:25:50
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:dotnet-runtime-8.0.8-win-x64.exe /q
                                                                                                                                                                                                Imagebase:0xa90000
                                                                                                                                                                                                File size:28'703'680 bytes
                                                                                                                                                                                                MD5 hash:6078CD9F0B46862256D9C8B3BB4F86EF
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:5
                                                                                                                                                                                                Start time:09:25:50
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:"C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=664 -burn.filehandle.self=692 /q
                                                                                                                                                                                                Imagebase:0x390000
                                                                                                                                                                                                File size:650'576 bytes
                                                                                                                                                                                                MD5 hash:C0CBF8F15105720847041131C8C45598
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:6
                                                                                                                                                                                                Start time:09:25:50
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:"C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA8E} {A5C335EB-CE59-4F47-9169-F2843E8F963C} 7076
                                                                                                                                                                                                Imagebase:0xd40000
                                                                                                                                                                                                File size:650'576 bytes
                                                                                                                                                                                                MD5 hash:C0CBF8F15105720847041131C8C45598
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:7
                                                                                                                                                                                                Start time:09:25:52
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                Imagebase:0x7ff6cbce0000
                                                                                                                                                                                                File size:69'632 bytes
                                                                                                                                                                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:8
                                                                                                                                                                                                Start time:09:25:53
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding B9E5D64A3023B24E1C83A523BE5C5639
                                                                                                                                                                                                Imagebase:0xbe0000
                                                                                                                                                                                                File size:59'904 bytes
                                                                                                                                                                                                MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:9
                                                                                                                                                                                                Start time:09:26:00
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:"C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" /burn.runonce
                                                                                                                                                                                                Imagebase:0xd60000
                                                                                                                                                                                                File size:650'576 bytes
                                                                                                                                                                                                MD5 hash:C0CBF8F15105720847041131C8C45598
                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:10
                                                                                                                                                                                                Start time:09:26:00
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:"C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550.log"
                                                                                                                                                                                                Imagebase:0xd60000
                                                                                                                                                                                                File size:650'576 bytes
                                                                                                                                                                                                MD5 hash:C0CBF8F15105720847041131C8C45598
                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:11
                                                                                                                                                                                                Start time:09:26:00
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:"C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550.log"
                                                                                                                                                                                                Imagebase:0xd60000
                                                                                                                                                                                                File size:650'576 bytes
                                                                                                                                                                                                MD5 hash:C0CBF8F15105720847041131C8C45598
                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:12
                                                                                                                                                                                                Start time:09:26:03
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 3909D66778F6C5107F8B15D5ECB299A6
                                                                                                                                                                                                Imagebase:0xbe0000
                                                                                                                                                                                                File size:59'904 bytes
                                                                                                                                                                                                MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:14
                                                                                                                                                                                                Start time:09:26:03
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding B854354A711E3251713D5F3210D22CCB
                                                                                                                                                                                                Imagebase:0xbe0000
                                                                                                                                                                                                File size:59'904 bytes
                                                                                                                                                                                                MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:15
                                                                                                                                                                                                Start time:09:26:06
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\EtEskrivare.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:EtEskrivare.exe
                                                                                                                                                                                                Imagebase:0x7ff66cb20000
                                                                                                                                                                                                File size:138'752 bytes
                                                                                                                                                                                                MD5 hash:43D024998EC3E5791995017E6550DD9C
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:16
                                                                                                                                                                                                Start time:09:26:06
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                Imagebase:0x7ff70f010000
                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:17
                                                                                                                                                                                                Start time:09:26:06
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT "
                                                                                                                                                                                                Imagebase:0x7ff760310000
                                                                                                                                                                                                File size:452'608 bytes
                                                                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:18
                                                                                                                                                                                                Start time:09:26:06
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                Imagebase:0x7ff70f010000
                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:21
                                                                                                                                                                                                Start time:09:26:10
                                                                                                                                                                                                Start date:03/10/2024
                                                                                                                                                                                                Path:C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:"C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{90908595-DBF2-48E3-B425-27B7CE5D8A50} {A89BB288-DC86-46DD-9CDA-AF6EDBCB231B} 6500
                                                                                                                                                                                                Imagebase:0xd60000
                                                                                                                                                                                                File size:650'576 bytes
                                                                                                                                                                                                MD5 hash:C0CBF8F15105720847041131C8C45598
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                  Execution Coverage:20.8%
                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                  Signature Coverage:1.9%
                                                                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                                                                  Total number of Limit Nodes:27
                                                                                                                                                                                                  execution_graph 5275 401000 memset GetModuleHandleW HeapCreate 5276 401044 5275->5276 5325 40de30 HeapCreate TlsAlloc 5276->5325 5278 401053 5328 40aaa0 5278->5328 5280 40105d 5331 409b40 HeapCreate 5280->5331 5282 40106c 5332 409669 5282->5332 5284 401071 5337 408dee memset InitCommonControlsEx CoInitialize 5284->5337 5286 401076 5338 4053bb InitializeCriticalSection 5286->5338 5288 40107b 5339 405068 5288->5339 5297 40a3da 16 API calls 5298 4010f4 5297->5298 5299 40a348 13 API calls 5298->5299 5300 40110f 5299->5300 5370 40dbca 5300->5370 5302 40112d 5303 405068 4 API calls 5302->5303 5304 40113d 5303->5304 5305 40a3da 16 API calls 5304->5305 5306 401148 5305->5306 5307 40a348 13 API calls 5306->5307 5308 401163 5307->5308 5376 409930 5308->5376 5310 40116f 5382 40de80 GetLastError TlsGetValue SetLastError 5310->5382 5312 401175 5383 402f41 5312->5383 5316 401186 5408 401b8f 5316->5408 5319 40119b 5514 403df3 5319->5514 5858 40e6a0 HeapAlloc HeapAlloc TlsSetValue 5325->5858 5327 40de57 5327->5278 5859 40d52c HeapAlloc HeapAlloc InitializeCriticalSection 5328->5859 5330 40aaae 5330->5280 5331->5282 5860 40d353 5332->5860 5336 409687 InitializeCriticalSection 5336->5284 5337->5286 5338->5288 5872 40e130 5339->5872 5341 401095 GetStdHandle 5342 409de0 5341->5342 5879 409ecf 5342->5879 5345 4010c3 5354 40a3da 5345->5354 5346 409e0b 5347 409e14 5346->5347 5348 409e17 HeapAlloc 5346->5348 5347->5348 5349 409e93 HeapFree 5348->5349 5351 409e2e 5348->5351 5350 409ea4 5349->5350 5350->5345 5890 40d819 5351->5890 5355 40a3e3 5354->5355 5356 4010ce 5354->5356 5959 40a496 5355->5959 5365 40a348 HeapAlloc 5356->5365 5359 40d946 9 API calls 5360 40a3f3 5359->5360 5361 40a420 5360->5361 5362 40a40e HeapFree 5360->5362 5363 40a433 HeapFree 5361->5363 5364 40a427 HeapFree 5361->5364 5362->5361 5362->5362 5363->5356 5364->5363 5366 40a367 HeapAlloc 5365->5366 5367 40a37c 5365->5367 5366->5367 5368 40d819 11 API calls 5367->5368 5369 4010e9 5368->5369 5369->5297 5966 40dd1d 5370->5966 5373 40dbe7 RtlAllocateHeap 5374 40dc06 memset 5373->5374 5375 40dc4a 5373->5375 5374->5375 5375->5302 5377 409a50 5376->5377 5378 409a58 5377->5378 5379 409a7a SetUnhandledExceptionFilter 5377->5379 5380 409a61 SetUnhandledExceptionFilter 5378->5380 5381 409a6b SetUnhandledExceptionFilter 5378->5381 5379->5310 5380->5381 5381->5310 5382->5312 5972 40dfc0 5383->5972 5387 402f56 5987 40de80 GetLastError TlsGetValue SetLastError 5387->5987 5389 402fab 5988 40de80 GetLastError TlsGetValue SetLastError 5389->5988 5391 402fb3 5989 40de80 GetLastError TlsGetValue SetLastError 5391->5989 5393 402fbb 5990 40de80 GetLastError TlsGetValue SetLastError 5393->5990 5395 402fc3 5991 40d120 5395->5991 5399 402fde 5996 405eb0 5399->5996 5401 402fe6 6006 405170 TlsGetValue 5401->6006 5403 40117c 5404 40dec0 TlsGetValue 5403->5404 5405 40df06 HeapReAlloc 5404->5405 5406 40dee9 RtlAllocateHeap 5404->5406 5407 40df27 5405->5407 5406->5407 5407->5316 5409 40dfc0 21 API calls 5408->5409 5410 401b9e 5409->5410 6031 40de80 GetLastError TlsGetValue SetLastError 5410->6031 5412 401ba4 6032 40de80 GetLastError TlsGetValue SetLastError 5412->6032 5414 401bb6 6033 40de80 GetLastError TlsGetValue SetLastError 5414->6033 5416 401bbe 6034 409698 5416->6034 5420 401bca LoadLibraryExW 5421 4051a0 3 API calls 5420->5421 5422 401bd7 EnumResourceTypesW FreeLibrary 5421->5422 5450 401c02 5422->5450 5423 401e12 5424 40df50 HeapFree 5423->5424 5425 401e2b 5424->5425 5426 40df50 HeapFree 5425->5426 5429 401e34 5426->5429 5427 401ca0 5430 40a496 4 API calls 5427->5430 5428 40de80 GetLastError TlsGetValue SetLastError 5428->5450 5431 40df50 HeapFree 5429->5431 5432 401cab 5430->5432 5433 401e3d 5431->5433 6042 40de80 GetLastError TlsGetValue SetLastError 5432->6042 5435 40df50 HeapFree 5433->5435 5437 401e46 5435->5437 5436 401cb1 6043 40de80 GetLastError TlsGetValue SetLastError 5436->6043 5439 40df50 HeapFree 5437->5439 5441 40118b 5439->5441 5440 401cb9 6044 40de80 GetLastError TlsGetValue SetLastError 5440->6044 5441->5319 5741 403001 5441->5741 5443 401cc1 6045 40de80 GetLastError TlsGetValue SetLastError 5443->6045 5445 401cc9 6046 40de80 GetLastError TlsGetValue SetLastError 5445->6046 5447 401cd6 6047 40de80 GetLastError TlsGetValue SetLastError 5447->6047 5448 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 5448->5450 5450->5423 5450->5427 5450->5428 5450->5448 5452 40dec0 TlsGetValue RtlAllocateHeap HeapReAlloc 5450->5452 5451 401cde 6048 405e10 5451->6048 5452->5450 5456 401cee 6057 40d100 5456->6057 5460 401cfb 5461 405eb0 6 API calls 5460->5461 5462 401d03 5461->5462 5463 40dec0 3 API calls 5462->5463 5464 401d0d 5463->5464 6061 40de80 GetLastError TlsGetValue SetLastError 5464->6061 5466 401d17 6062 40e020 5466->6062 5468 401d1f 5469 40dec0 3 API calls 5468->5469 5470 401d29 5469->5470 6067 40de80 GetLastError TlsGetValue SetLastError 5470->6067 5472 401d2f 6068 40de80 GetLastError TlsGetValue SetLastError 5472->6068 5474 401d37 6069 40de80 GetLastError TlsGetValue SetLastError 5474->6069 5476 401d3f 6070 40de80 GetLastError TlsGetValue SetLastError 5476->6070 5478 401d47 5479 40d100 8 API calls 5478->5479 5480 401d57 5479->5480 6071 405182 TlsGetValue 5480->6071 5482 401d5c 5483 405eb0 6 API calls 5482->5483 5484 401d64 5483->5484 5485 40dec0 3 API calls 5484->5485 5486 401d6e 5485->5486 6072 40de80 GetLastError TlsGetValue SetLastError 5486->6072 5488 401d74 6073 40de80 GetLastError TlsGetValue SetLastError 5488->6073 5490 401d7c 6074 405f20 5490->6074 5492 401d8c 5493 40dec0 3 API calls 5492->5493 5494 401d96 5493->5494 5494->5423 6082 40985e 5494->6082 5498 401db5 6088 40de80 GetLastError TlsGetValue SetLastError 5498->6088 5500 401dbd 6089 409872 5500->6089 5504 401dce 6099 405160 5504->6099 5506 401dd9 5506->5423 6102 40de80 GetLastError TlsGetValue SetLastError 5506->6102 5508 401df2 6103 40de80 GetLastError TlsGetValue SetLastError 5508->6103 5510 401dfa 5511 409872 21 API calls 5510->5511 5512 401e06 5511->5512 5513 40dec0 3 API calls 5512->5513 5513->5423 5515 403df9 5514->5515 5515->5515 5516 40dfc0 21 API calls 5515->5516 5533 403e0b 5516->5533 5517 40de80 GetLastError TlsGetValue SetLastError 5538 403e8c 5517->5538 5518 40de80 GetLastError TlsGetValue SetLastError 5518->5533 5520 40dec0 TlsGetValue RtlAllocateHeap HeapReAlloc 5520->5533 5521 405dc0 3 API calls 5521->5538 5522 40de80 GetLastError TlsGetValue SetLastError 5543 403f0d 5522->5543 5523 405dc0 3 API calls 5523->5543 5524 40de80 GetLastError TlsGetValue SetLastError 5550 403f8e 5524->5550 5525 40de80 GetLastError TlsGetValue SetLastError 5557 40400f 5525->5557 5526 40dec0 TlsGetValue RtlAllocateHeap HeapReAlloc 5526->5543 5527 405dc0 3 API calls 5527->5550 5528 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 5528->5533 5529 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 5529->5538 5530 40dec0 TlsGetValue RtlAllocateHeap HeapReAlloc 5530->5550 5531 405dc0 3 API calls 5531->5557 5532 40de80 GetLastError TlsGetValue SetLastError 5567 404115 5532->5567 5533->5518 5533->5520 5533->5528 5533->5538 6924 405dc0 5533->6924 5534 405dc0 3 API calls 5562 404090 5534->5562 5535 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 5535->5543 5536 40dec0 TlsGetValue RtlAllocateHeap HeapReAlloc 5536->5557 5537 4042a4 6135 40de80 GetLastError TlsGetValue SetLastError 5537->6135 5538->5517 5538->5521 5538->5529 5542 40dec0 TlsGetValue RtlAllocateHeap HeapReAlloc 5538->5542 5538->5543 5539 405dc0 3 API calls 5539->5567 5540 40de80 GetLastError TlsGetValue SetLastError 5575 40421f 5540->5575 5542->5538 5543->5522 5543->5523 5543->5526 5543->5535 5543->5550 5544 4042b0 5549 40e020 4 API calls 5544->5549 5545 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 5545->5550 5546 40de80 GetLastError TlsGetValue SetLastError 5546->5562 5547 40dec0 TlsGetValue RtlAllocateHeap HeapReAlloc 5547->5567 5548 405dc0 3 API calls 5573 40419a 5548->5573 5551 4042b8 5549->5551 5550->5524 5550->5527 5550->5530 5550->5545 5550->5557 5556 40e020 4 API calls 5551->5556 5552 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 5552->5557 5553 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 5553->5562 5554 40dec0 TlsGetValue RtlAllocateHeap HeapReAlloc 5554->5573 5555 405dc0 3 API calls 5555->5575 5558 4042c2 5556->5558 5557->5525 5557->5531 5557->5536 5557->5552 5557->5562 5561 40dec0 3 API calls 5558->5561 5559 40de80 GetLastError TlsGetValue SetLastError 5559->5573 5560 40dec0 TlsGetValue RtlAllocateHeap HeapReAlloc 5560->5575 5563 4042ce 5561->5563 5562->5534 5562->5546 5562->5553 5564 40dec0 TlsGetValue RtlAllocateHeap HeapReAlloc 5562->5564 5562->5567 6136 40de80 GetLastError TlsGetValue SetLastError 5563->6136 5564->5562 5565 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 5565->5567 5567->5532 5567->5539 5567->5547 5567->5565 5567->5573 5568 4042d4 6137 403275 5568->6137 5570 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 5570->5573 5571 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 5571->5575 5573->5548 5573->5554 5573->5559 5573->5570 5573->5575 5574 40dec0 3 API calls 5576 4042ed 5574->5576 5575->5537 5575->5540 5575->5555 5575->5560 5575->5571 5577 40985e 17 API calls 5576->5577 5578 4042f2 GetModuleHandleW 5577->5578 6230 40de80 GetLastError TlsGetValue SetLastError 5578->6230 5580 40430b 6231 40de80 GetLastError TlsGetValue SetLastError 5580->6231 5582 404313 6232 40de80 GetLastError TlsGetValue SetLastError 5582->6232 5584 40431b 6233 40de80 GetLastError TlsGetValue SetLastError 5584->6233 5586 404323 5587 40d100 8 API calls 5586->5587 5588 404335 5587->5588 6234 405182 TlsGetValue 5588->6234 5590 40433a 5591 405eb0 6 API calls 5590->5591 5592 404342 5591->5592 5593 40dec0 3 API calls 5592->5593 5594 40434c 5593->5594 6235 40de80 GetLastError TlsGetValue SetLastError 5594->6235 5596 404352 6236 40de80 GetLastError TlsGetValue SetLastError 5596->6236 5598 40435a 6237 40de80 GetLastError TlsGetValue SetLastError 5598->6237 5600 404362 6238 40de80 GetLastError TlsGetValue SetLastError 5600->6238 5602 40436a 5603 40d100 8 API calls 5602->5603 5604 40437a 5603->5604 6239 405182 TlsGetValue 5604->6239 5606 40437f 5607 405eb0 6 API calls 5606->5607 5608 404387 5607->5608 5609 40dec0 3 API calls 5608->5609 5610 404391 5609->5610 6240 402e9d 5610->6240 5614 4043a4 6257 4021a4 5614->6257 5617 4051a0 3 API calls 5618 4043b4 5617->5618 6373 40195b 5618->6373 5624 4043c8 6464 40358d 5624->6464 5627 40dec0 3 API calls 5628 4043ee PathRemoveBackslashW 5627->5628 5629 404402 5628->5629 6592 40de80 GetLastError TlsGetValue SetLastError 5629->6592 5631 404408 6593 40de80 GetLastError TlsGetValue SetLastError 5631->6593 5633 404410 6594 402bfa 5633->6594 5637 404422 6624 405182 TlsGetValue 5637->6624 5639 40442b 6625 4098c0 5639->6625 5642 4051a0 3 API calls 5643 404439 5642->5643 6629 40de80 GetLastError TlsGetValue SetLastError 5643->6629 5645 404445 5646 40e020 4 API calls 5645->5646 5647 40444d 5646->5647 5648 40e020 4 API calls 5647->5648 5649 404459 5648->5649 5650 40dec0 3 API calls 5649->5650 5651 404465 5650->5651 6630 40de80 GetLastError TlsGetValue SetLastError 5651->6630 5653 40446b 6631 401e55 5653->6631 5656 40dec0 3 API calls 5657 404480 5656->5657 6677 403855 5657->6677 5661 404491 5662 40e020 4 API calls 5661->5662 5663 404499 5662->5663 5664 40dec0 3 API calls 5663->5664 5665 4044a3 PathQuoteSpacesW 5664->5665 6871 40de80 GetLastError TlsGetValue SetLastError 5665->6871 5667 4044b6 5668 40e020 4 API calls 5667->5668 5669 4044be 5668->5669 5670 40e020 4 API calls 5669->5670 5671 4044c9 5670->5671 5672 40e020 4 API calls 5671->5672 5673 4044d3 5672->5673 5674 40dec0 3 API calls 5673->5674 5675 4044dd PathQuoteSpacesW 5674->5675 5676 4044f1 5675->5676 5677 404509 5675->5677 6927 405492 CreateThread 5676->6927 6937 402ca9 5677->6937 5681 404512 6872 40de80 GetLastError TlsGetValue SetLastError 5681->6872 5683 404518 6873 40de80 GetLastError TlsGetValue SetLastError 5683->6873 5685 404524 5686 40e020 4 API calls 5685->5686 5687 40452c 5686->5687 5688 40e020 4 API calls 5687->5688 5689 404537 5688->5689 5690 40e020 4 API calls 5689->5690 5691 404541 5690->5691 6874 40e080 TlsGetValue 5691->6874 5693 404546 6875 40de80 GetLastError TlsGetValue SetLastError 5693->6875 5695 40454c 6876 40de80 GetLastError TlsGetValue SetLastError 5695->6876 5697 404554 6877 40a7f5 5697->6877 5742 40dfc0 21 API calls 5741->5742 5743 40300e 5742->5743 8117 40de80 GetLastError TlsGetValue SetLastError 5743->8117 5745 403014 8118 40de80 GetLastError TlsGetValue SetLastError 5745->8118 5747 40301c 8119 40de80 GetLastError TlsGetValue SetLastError 5747->8119 5749 403024 8120 40de80 GetLastError TlsGetValue SetLastError 5749->8120 5751 40302c 5752 40d100 8 API calls 5751->5752 5753 40303e 5752->5753 8121 405182 TlsGetValue 5753->8121 5755 403043 5756 405eb0 6 API calls 5755->5756 5757 40304b 5756->5757 5758 40dec0 3 API calls 5757->5758 5759 403055 5758->5759 8122 40de80 GetLastError TlsGetValue SetLastError 5759->8122 5761 40305b 8123 40de80 GetLastError TlsGetValue SetLastError 5761->8123 5763 403063 8124 40de80 GetLastError TlsGetValue SetLastError 5763->8124 5765 40306b 8125 40de80 GetLastError TlsGetValue SetLastError 5765->8125 5767 403073 5768 40d100 8 API calls 5767->5768 5769 403083 5768->5769 8126 405182 TlsGetValue 5769->8126 5771 403088 5772 405eb0 6 API calls 5771->5772 5773 403090 5772->5773 5774 40dec0 3 API calls 5773->5774 5775 40309a 5774->5775 5776 402e9d 35 API calls 5775->5776 5777 4030a2 5776->5777 8127 40de80 GetLastError TlsGetValue SetLastError 5777->8127 5779 4030ac 5780 4021a4 122 API calls 5779->5780 5781 4030b7 5780->5781 5782 4051a0 3 API calls 5781->5782 5783 4030bc 5782->5783 8128 40de80 GetLastError TlsGetValue SetLastError 5783->8128 5785 4030c2 8129 40de80 GetLastError TlsGetValue SetLastError 5785->8129 5787 4030ca 5788 409355 33 API calls 5787->5788 5789 4030dd 5788->5789 5790 40dec0 3 API calls 5789->5790 5791 4030e7 5790->5791 5792 40323e 5791->5792 8130 40de80 GetLastError TlsGetValue SetLastError 5791->8130 5792->5792 5794 4030fe 8131 40de80 GetLastError TlsGetValue SetLastError 5794->8131 5796 403106 8132 40de80 GetLastError TlsGetValue SetLastError 5796->8132 5798 40310e 8133 40de80 GetLastError TlsGetValue SetLastError 5798->8133 5800 403116 5801 40d100 8 API calls 5800->5801 5802 403128 5801->5802 8134 405182 TlsGetValue 5802->8134 5804 40312d 5805 405eb0 6 API calls 5804->5805 5806 403135 5805->5806 5807 40dec0 3 API calls 5806->5807 5808 40313f 5807->5808 8135 40de80 GetLastError TlsGetValue SetLastError 5808->8135 5810 403145 8136 40de80 GetLastError TlsGetValue SetLastError 5810->8136 5812 40314d 8137 40de80 GetLastError TlsGetValue SetLastError 5812->8137 5814 403155 8138 40de80 GetLastError TlsGetValue SetLastError 5814->8138 5816 40315d 5817 40d100 8 API calls 5816->5817 5818 40316f 5817->5818 8139 405182 TlsGetValue 5818->8139 5820 403174 5821 405eb0 6 API calls 5820->5821 5822 40317c 5821->5822 5823 40dec0 3 API calls 5822->5823 5824 403186 5823->5824 8140 40de80 GetLastError TlsGetValue SetLastError 5824->8140 5826 40318c 5827 403cd7 84 API calls 5826->5827 5828 40319c 5827->5828 5829 40dec0 3 API calls 5828->5829 5830 4031a8 5829->5830 8141 40de80 GetLastError TlsGetValue SetLastError 5830->8141 5832 4031ae 5833 403cd7 84 API calls 5832->5833 5834 4031be 5833->5834 5835 40dec0 3 API calls 5834->5835 5836 4031c8 PathAddBackslashW 5835->5836 8142 40de80 GetLastError TlsGetValue SetLastError 5836->8142 5838 4031d7 8143 40de80 GetLastError TlsGetValue SetLastError 5838->8143 5840 4031e7 5841 40e020 4 API calls 5840->5841 5842 4031ef 5841->5842 5843 40e020 4 API calls 5842->5843 5844 4031fb 5843->5844 8144 405182 TlsGetValue 5844->8144 5846 403200 5847 40240c 34 API calls 5846->5847 5848 403208 5847->5848 5849 4051a0 3 API calls 5848->5849 5850 40320d 5849->5850 8145 40de80 GetLastError TlsGetValue SetLastError 5850->8145 5852 403217 5853 40e020 4 API calls 5852->5853 5854 40321f 5853->5854 5855 40dec0 3 API calls 5854->5855 5856 40322b PathRemoveBackslashW 5855->5856 5857 402ca9 141 API calls 5856->5857 5857->5792 5858->5327 5859->5330 5861 40d362 5860->5861 5862 40d3a0 TlsGetValue HeapReAlloc TlsSetValue 5861->5862 5863 40d378 TlsAlloc HeapAlloc TlsSetValue 5861->5863 5864 40d3e0 5862->5864 5865 40d3dc 5862->5865 5863->5862 5870 40db72 HeapAlloc 5864->5870 5865->5864 5866 409674 5865->5866 5869 40d52c HeapAlloc HeapAlloc InitializeCriticalSection 5866->5869 5869->5336 5871 40d3ec 5870->5871 5871->5866 5873 40e141 wcslen 5872->5873 5874 40e1ad 5872->5874 5875 40e176 HeapReAlloc 5873->5875 5876 40e158 HeapAlloc 5873->5876 5877 40e1b5 HeapFree 5874->5877 5878 40e198 5874->5878 5875->5878 5876->5878 5877->5878 5878->5341 5880 409def HeapAlloc 5879->5880 5881 409ed8 5879->5881 5880->5345 5880->5346 5905 40a11a 5881->5905 5883 409ee0 5912 40d946 5883->5912 5886 409f23 HeapFree 5886->5880 5887 409f0f 5888 409f10 HeapFree 5887->5888 5888->5888 5889 409f22 5888->5889 5889->5886 5891 40d83a 5890->5891 5892 40d8f2 RtlAllocateHeap 5891->5892 5893 40d846 5891->5893 5895 40d907 5892->5895 5896 409e76 HeapAlloc 5892->5896 5949 40da43 LoadLibraryW 5893->5949 5895->5896 5898 40d930 InitializeCriticalSection 5895->5898 5896->5350 5898->5896 5899 40d86b 5900 40d887 HeapAlloc 5899->5900 5901 40d8e5 LeaveCriticalSection 5899->5901 5900->5901 5902 40d89d 5900->5902 5901->5896 5903 40d819 6 API calls 5902->5903 5904 40d8b4 5903->5904 5904->5901 5908 40a12e 5905->5908 5906 40a177 memset 5909 40a190 5906->5909 5907 40a139 HeapFree 5907->5908 5908->5906 5908->5907 5925 411d8a 5908->5925 5930 40d74b 5908->5930 5909->5883 5913 40d953 EnterCriticalSection 5912->5913 5914 40d9b8 5912->5914 5916 40d9ae LeaveCriticalSection 5913->5916 5917 40d96f 5913->5917 5940 40d6dd 5914->5940 5918 409ee8 HeapFree HeapFree 5916->5918 5920 40d946 4 API calls 5917->5920 5918->5886 5918->5887 5923 40d979 HeapFree 5920->5923 5921 40d9c4 DeleteCriticalSection 5922 40d9ce HeapFree 5921->5922 5922->5918 5923->5916 5926 411e85 5925->5926 5927 411da2 5925->5927 5926->5908 5927->5926 5929 411d8a HeapFree 5927->5929 5937 40df50 5927->5937 5929->5927 5931 40d758 EnterCriticalSection 5930->5931 5935 40d762 5930->5935 5931->5935 5932 40d814 5932->5908 5933 40d80a LeaveCriticalSection 5933->5932 5934 40d7cb 5934->5932 5934->5933 5935->5934 5936 40d7b5 HeapFree 5935->5936 5936->5934 5938 40df5b HeapFree 5937->5938 5939 40df6e 5937->5939 5938->5939 5939->5927 5941 40d6f5 5940->5941 5942 40d6eb EnterCriticalSection 5940->5942 5943 40d712 5941->5943 5944 40d6fc HeapFree 5941->5944 5942->5941 5945 40d718 HeapFree 5943->5945 5946 40d72e 5943->5946 5944->5943 5944->5944 5945->5945 5945->5946 5947 40d745 5946->5947 5948 40d73b LeaveCriticalSection 5946->5948 5947->5921 5947->5922 5948->5947 5950 40da60 GetProcAddress 5949->5950 5951 40da8b InterlockedCompareExchange 5949->5951 5954 40da80 FreeLibrary 5950->5954 5955 40da70 5950->5955 5952 40da9b 5951->5952 5953 40daaf InterlockedExchange 5951->5953 5956 40d855 EnterCriticalSection 5952->5956 5958 40daa0 Sleep 5952->5958 5953->5956 5954->5951 5954->5956 5955->5954 5956->5899 5958->5952 5960 40a4c6 5959->5960 5964 40a4a7 5959->5964 5961 40a3eb 5960->5961 5962 40d74b 3 API calls 5960->5962 5961->5359 5962->5960 5963 411d8a HeapFree 5963->5964 5964->5961 5964->5963 5965 40d74b 3 API calls 5964->5965 5965->5964 5967 40dbdb 5966->5967 5971 40dd26 5966->5971 5967->5373 5967->5375 5968 40dd51 HeapFree 5968->5967 5969 40dd4f 5969->5968 5970 411d8a HeapFree 5970->5971 5971->5968 5971->5969 5971->5970 5973 40dfea TlsGetValue 5972->5973 5974 40dfcc 5972->5974 5976 402f4d 5973->5976 5977 40dffb 5973->5977 5975 40de30 5 API calls 5974->5975 5978 40dfd1 TlsGetValue 5975->5978 5984 4051a0 5976->5984 6016 40e6a0 HeapAlloc HeapAlloc TlsSetValue 5977->6016 6007 412082 5978->6007 5981 40e000 TlsGetValue 5983 412082 13 API calls 5981->5983 5983->5976 6017 40e780 GetLastError TlsGetValue SetLastError 5984->6017 5986 4051ab 5986->5387 5987->5389 5988->5391 5989->5393 5990->5395 5992 40d12d 5991->5992 6018 40d220 5992->6018 5995 405182 TlsGetValue 5995->5399 5997 405ebd 5996->5997 6028 40e1e0 TlsGetValue 5997->6028 6000 40e260 3 API calls 6001 405ed1 6000->6001 6002 405edd 6001->6002 6030 40e370 TlsGetValue 6001->6030 6004 405f0d 6002->6004 6005 405f00 CharUpperW 6002->6005 6004->5401 6005->5401 6006->5403 6008 412092 TlsAlloc InitializeCriticalSection 6007->6008 6009 4120ae TlsGetValue 6007->6009 6008->6009 6010 4120c4 HeapAlloc 6009->6010 6011 41214b HeapAlloc 6009->6011 6012 40dfe8 6010->6012 6013 4120de EnterCriticalSection 6010->6013 6011->6012 6012->5976 6014 4120f0 7 API calls 6013->6014 6015 4120ee 6013->6015 6014->6011 6015->6014 6016->5981 6017->5986 6019 40d22c 6018->6019 6022 40e260 TlsGetValue 6019->6022 6023 40e27b 6022->6023 6024 40e2a1 HeapReAlloc 6023->6024 6027 40e2d4 6023->6027 6025 402fd9 6024->6025 6025->5995 6026 40e2f0 HeapReAlloc 6026->6025 6027->6025 6027->6026 6029 405ec5 6028->6029 6029->6000 6030->6002 6031->5412 6032->5414 6033->5416 6035 40e260 3 API calls 6034->6035 6036 4096aa GetModuleFileNameW wcscmp 6035->6036 6037 4096e5 6036->6037 6038 4096cd memmove 6036->6038 6104 40e3f0 TlsGetValue 6037->6104 6038->6037 6040 401bc5 6041 405182 TlsGetValue 6040->6041 6041->5420 6042->5436 6043->5440 6044->5443 6045->5445 6046->5447 6047->5451 6049 405e1d 6048->6049 6050 40e1e0 TlsGetValue 6049->6050 6051 405e40 6050->6051 6052 40e260 3 API calls 6051->6052 6053 405e4c 6052->6053 6054 401ce9 6053->6054 6105 40e370 TlsGetValue 6053->6105 6056 405182 TlsGetValue 6054->6056 6056->5456 6106 40d080 6057->6106 6060 405182 TlsGetValue 6060->5460 6061->5466 6063 40e042 6062->6063 6064 40e033 wcslen 6062->6064 6065 40e260 3 API calls 6063->6065 6064->6063 6066 40e04d 6065->6066 6066->5468 6067->5472 6068->5474 6069->5476 6070->5478 6071->5482 6072->5488 6073->5490 6075 405f2e 6074->6075 6076 40e1e0 TlsGetValue 6075->6076 6077 405f4a 6076->6077 6078 40e260 3 API calls 6077->6078 6079 405f56 6078->6079 6081 405f62 6079->6081 6122 40e370 TlsGetValue 6079->6122 6081->5492 6123 40d2e8 TlsGetValue 6082->6123 6087 40de80 GetLastError TlsGetValue SetLastError 6087->5498 6088->5500 6090 40d2e8 16 API calls 6089->6090 6091 409885 6090->6091 6092 40973a 17 API calls 6091->6092 6093 409898 6092->6093 6094 40e260 3 API calls 6093->6094 6095 4098a6 6094->6095 6133 40e3f0 TlsGetValue 6095->6133 6097 401dc9 6098 40e080 TlsGetValue 6097->6098 6098->5504 6134 40e740 TlsGetValue 6099->6134 6101 40516a 6101->5506 6102->5508 6103->5510 6104->6040 6105->6054 6109 40d092 6106->6109 6107 40d0dd 6108 40d220 3 API calls 6107->6108 6110 401cf6 6108->6110 6109->6107 6111 40d0b2 6109->6111 6110->6060 6115 4121a0 6111->6115 6113 40d0b8 6121 412190 free 6113->6121 6116 412214 malloc 6115->6116 6117 4121ac WideCharToMultiByte 6115->6117 6116->6113 6117->6116 6119 4121e0 malloc 6117->6119 6119->6116 6120 4121f2 WideCharToMultiByte 6119->6120 6120->6113 6121->6107 6122->6081 6124 409869 6123->6124 6125 40d2fb HeapAlloc TlsSetValue 6123->6125 6129 40973a 6124->6129 6126 40d327 6125->6126 6127 412082 13 API calls 6126->6127 6128 40d348 6127->6128 6128->6124 6130 40d2e8 16 API calls 6129->6130 6131 40974b GetCommandLineW 6130->6131 6132 401dab 6131->6132 6132->5423 6132->6087 6133->6097 6134->6101 6135->5544 6136->5568 6138 40327b 6137->6138 6138->6138 6139 40dfc0 21 API calls 6138->6139 6140 40328d 6139->6140 6141 4051a0 3 API calls 6140->6141 6142 403296 6141->6142 7002 405060 6142->7002 6145 405060 2 API calls 6146 4032af 6145->6146 7005 402bc1 6146->7005 6149 4032b8 7012 40559a GetVersionExW 6149->7012 6150 4032cb 6153 4032d5 6150->6153 6154 40343b 6150->6154 7018 40de80 GetLastError TlsGetValue SetLastError 6153->7018 7050 40de80 GetLastError TlsGetValue SetLastError 6154->7050 6157 4032db 7019 40de80 GetLastError TlsGetValue SetLastError 6157->7019 6158 403441 7051 40de80 GetLastError TlsGetValue SetLastError 6158->7051 6161 4032e3 7020 4062c0 6161->7020 6162 403449 6164 4062c0 3 API calls 6162->6164 6165 403455 6164->6165 6167 40dec0 3 API calls 6165->6167 6169 40345f GetSystemDirectoryW PathAddBackslashW 6167->6169 6168 40dec0 3 API calls 6170 4032f9 GetWindowsDirectoryW PathAddBackslashW 6168->6170 6171 403439 6169->6171 7023 40de80 GetLastError TlsGetValue SetLastError 6170->7023 7010 40de80 GetLastError TlsGetValue SetLastError 6171->7010 6174 40331a 6176 40e020 4 API calls 6174->6176 6175 403480 6177 40e020 4 API calls 6175->6177 6178 403322 6176->6178 6179 403488 6177->6179 6180 40e020 4 API calls 6178->6180 7011 405170 TlsGetValue 6179->7011 6182 40332d 6180->6182 6184 40dec0 3 API calls 6182->6184 6183 40348f 6187 40df50 HeapFree 6183->6187 6185 403337 PathAddBackslashW 6184->6185 7024 40de80 GetLastError TlsGetValue SetLastError 6185->7024 6189 4034a7 6187->6189 6188 40334a 6190 40e020 4 API calls 6188->6190 6191 40df50 HeapFree 6189->6191 6192 403352 6190->6192 6193 4034af 6191->6193 6194 40e020 4 API calls 6192->6194 6195 40df50 HeapFree 6193->6195 6197 40335c 6194->6197 6196 4034b8 6195->6196 6198 40df50 HeapFree 6196->6198 6199 40dec0 3 API calls 6197->6199 6200 4034c1 6198->6200 6201 403366 6199->6201 6202 40df50 HeapFree 6200->6202 7025 40de80 GetLastError TlsGetValue SetLastError 6201->7025 6204 4034ca 6202->6204 6204->5574 6205 403370 6206 40e020 4 API calls 6205->6206 6207 403378 6206->6207 6208 40e020 4 API calls 6207->6208 6209 403382 6208->6209 6210 40e020 4 API calls 6209->6210 6211 40338c 6210->6211 6212 40dec0 3 API calls 6211->6212 6213 403396 6212->6213 7026 40adc0 6213->7026 6215 4033a4 6216 4033ba 6215->6216 7036 40a9d0 6215->7036 6218 40adc0 11 API calls 6216->6218 6219 4033d2 6218->6219 6220 4033e8 6219->6220 6221 40a9d0 11 API calls 6219->6221 6220->6171 7048 40de80 GetLastError TlsGetValue SetLastError 6220->7048 6221->6220 6223 403404 7049 40de80 GetLastError TlsGetValue SetLastError 6223->7049 6225 40340c 6226 4062c0 3 API calls 6225->6226 6227 403418 6226->6227 6228 40dec0 3 API calls 6227->6228 6229 403422 GetSystemDirectoryW PathAddBackslashW 6228->6229 6229->6171 6230->5580 6231->5582 6232->5584 6233->5586 6234->5590 6235->5596 6236->5598 6237->5600 6238->5602 6239->5606 6241 40dfc0 21 API calls 6240->6241 6242 402eaa 6241->6242 6243 405060 2 API calls 6242->6243 6244 402eb6 FindResourceW 6243->6244 6245 402ed5 6244->6245 6246 402ef1 6244->6246 7106 4026b8 6245->7106 7100 409ba0 6246->7100 6250 402f00 7103 40e7c0 6250->7103 6254 40df50 HeapFree 6255 402f3b 6254->6255 6256 40de80 GetLastError TlsGetValue SetLastError 6255->6256 6256->5614 6258 40dfc0 21 API calls 6257->6258 6259 4021b0 6258->6259 6260 4051a0 3 API calls 6259->6260 6261 4021b9 6260->6261 6262 4021d2 6261->6262 6263 4023ba 6261->6263 7142 40de80 GetLastError TlsGetValue SetLastError 6262->7142 7140 40de80 GetLastError TlsGetValue SetLastError 6263->7140 6266 4021d8 7143 40de80 GetLastError TlsGetValue SetLastError 6266->7143 6267 4023c4 6269 40e020 4 API calls 6267->6269 6271 4023cc 6269->6271 6270 4021e0 7144 40de80 GetLastError TlsGetValue SetLastError 6270->7144 7141 405170 TlsGetValue 6271->7141 6274 4021e8 7145 40de80 GetLastError TlsGetValue SetLastError 6274->7145 6275 4023d3 6278 40df50 HeapFree 6275->6278 6277 4021f0 7146 409c10 6277->7146 6280 4023eb 6278->6280 6282 40df50 HeapFree 6280->6282 6281 402204 7155 405182 TlsGetValue 6281->7155 6284 4023f4 6282->6284 6286 40df50 HeapFree 6284->6286 6285 402209 7156 406060 6285->7156 6287 4023fc 6286->6287 6289 40df50 HeapFree 6287->6289 6291 402405 6289->6291 6291->5617 6292 40dec0 3 API calls 6293 40221b 6292->6293 7159 40de80 GetLastError TlsGetValue SetLastError 6293->7159 6295 402221 7160 40de80 GetLastError TlsGetValue SetLastError 6295->7160 6297 402229 7161 40de80 GetLastError TlsGetValue SetLastError 6297->7161 6299 402231 7162 40de80 GetLastError TlsGetValue SetLastError 6299->7162 6301 402239 6302 409c10 5 API calls 6301->6302 6303 402250 6302->6303 7163 405182 TlsGetValue 6303->7163 6305 402255 6306 406060 5 API calls 6305->6306 6307 40225d 6306->6307 6308 40dec0 3 API calls 6307->6308 6309 402267 6308->6309 7164 40de80 GetLastError TlsGetValue SetLastError 6309->7164 6311 40226d 7165 40de80 GetLastError TlsGetValue SetLastError 6311->7165 6313 402275 7166 40de80 GetLastError TlsGetValue SetLastError 6313->7166 6315 402288 7167 40de80 GetLastError TlsGetValue SetLastError 6315->7167 6317 402290 7168 4057f0 6317->7168 6319 4022a6 7184 40e080 TlsGetValue 6319->7184 6321 4022ab 7185 40de80 GetLastError TlsGetValue SetLastError 6321->7185 6323 4022b1 7186 40de80 GetLastError TlsGetValue SetLastError 6323->7186 6325 4022b9 6326 4057f0 9 API calls 6325->6326 6327 4022cf 6326->6327 7187 405182 TlsGetValue 6327->7187 6329 4022d4 7188 405182 TlsGetValue 6329->7188 6331 4022dc 7189 408f69 6331->7189 6334 40dec0 3 API calls 6335 4022ef 6334->6335 6336 4023b0 6335->6336 6337 402300 6335->6337 6338 401fa9 36 API calls 6336->6338 7231 40de80 GetLastError TlsGetValue SetLastError 6337->7231 6338->6263 6340 402306 7232 40de80 GetLastError TlsGetValue SetLastError 6340->7232 6342 40230e 7233 40de80 GetLastError TlsGetValue SetLastError 6342->7233 6344 40231b 7234 40de80 GetLastError TlsGetValue SetLastError 6344->7234 6346 402323 6347 406060 5 API calls 6346->6347 6348 40232e 6347->6348 7235 405182 TlsGetValue 6348->7235 6350 402333 6351 40d100 8 API calls 6350->6351 6352 40233b 6351->6352 6353 40dec0 3 API calls 6352->6353 6354 402345 6353->6354 6355 4023ae 6354->6355 7236 40de80 GetLastError TlsGetValue SetLastError 6354->7236 6355->6263 6357 40235b 7237 40de80 GetLastError TlsGetValue SetLastError 6357->7237 6359 402368 7238 40de80 GetLastError TlsGetValue SetLastError 6359->7238 6361 402370 6362 4057f0 9 API calls 6361->6362 6363 402386 6362->6363 7239 40e080 TlsGetValue 6363->7239 6365 40238b 7240 405182 TlsGetValue 6365->7240 6367 402396 7241 408e27 6367->7241 6370 4051a0 3 API calls 6371 4023a4 6370->6371 6372 401fa9 36 API calls 6371->6372 6372->6355 6374 40dfc0 21 API calls 6373->6374 6393 401969 6374->6393 6375 4019ea 6377 409ba0 RtlAllocateHeap 6375->6377 6376 40de80 GetLastError TlsGetValue SetLastError 6376->6393 6378 4019f4 6377->6378 7298 40de80 GetLastError TlsGetValue SetLastError 6378->7298 6380 4019fe 7299 40de80 GetLastError TlsGetValue SetLastError 6380->7299 6381 405dc0 3 API calls 6381->6393 6383 401a06 7300 40a756 6383->7300 6384 40dec0 TlsGetValue RtlAllocateHeap HeapReAlloc 6384->6393 6387 40dec0 3 API calls 6388 401a17 GetTempFileNameW 6387->6388 7309 40de80 GetLastError TlsGetValue SetLastError 6388->7309 6389 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 6389->6393 6391 401a35 7310 40de80 GetLastError TlsGetValue SetLastError 6391->7310 6393->6375 6393->6376 6393->6381 6393->6384 6393->6389 6394 401a3d 6395 409bc0 4 API calls 6394->6395 6396 401a48 6395->6396 6397 40dec0 3 API calls 6396->6397 6398 401a54 6397->6398 7311 40a7e7 6398->7311 6404 401a8a 7320 40de80 GetLastError TlsGetValue SetLastError 6404->7320 6406 401a92 6407 409bc0 4 API calls 6406->6407 6408 401a9d 6407->6408 6409 40dec0 3 API calls 6408->6409 6410 401aa9 6409->6410 6411 40a7e7 2 API calls 6410->6411 6412 401ab4 6411->6412 6413 40a6c5 3 API calls 6412->6413 6414 401abf GetTempFileNameW PathAddBackslashW 6413->6414 7321 40de80 GetLastError TlsGetValue SetLastError 6414->7321 6416 401aea 7322 40de80 GetLastError TlsGetValue SetLastError 6416->7322 6418 401af2 6419 409bc0 4 API calls 6418->6419 6420 401afd 6419->6420 6421 40dec0 3 API calls 6420->6421 6422 401b09 6421->6422 6423 40a7e7 2 API calls 6422->6423 6424 401b14 PathRenameExtensionW GetTempFileNameW 6423->6424 7323 40de80 GetLastError TlsGetValue SetLastError 6424->7323 6426 401b43 7324 40de80 GetLastError TlsGetValue SetLastError 6426->7324 6428 401b4b 6429 409bc0 4 API calls 6428->6429 6430 401b56 6429->6430 6431 40dec0 3 API calls 6430->6431 6432 401b62 6431->6432 7325 409b80 RtlFreeHeap 6432->7325 6434 401b6b 6435 40df50 HeapFree 6434->6435 6436 401b78 6435->6436 6437 40df50 HeapFree 6436->6437 6438 401b81 6437->6438 6439 40df50 HeapFree 6438->6439 6440 401b8a 6439->6440 6441 40460e 6440->6441 6442 40dfc0 21 API calls 6441->6442 6449 40461b 6442->6449 6443 40469c 7332 40de80 GetLastError TlsGetValue SetLastError 6443->7332 6445 4046a2 6448 40358d 98 API calls 6445->6448 6446 40de80 GetLastError TlsGetValue SetLastError 6446->6449 6447 405dc0 3 API calls 6447->6449 6450 4046b8 6448->6450 6449->6443 6449->6446 6449->6447 6451 40dec0 TlsGetValue RtlAllocateHeap HeapReAlloc 6449->6451 6456 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 6449->6456 6452 40dec0 3 API calls 6450->6452 6451->6449 6453 4046c2 6452->6453 7333 40a95a 6453->7333 6456->6449 6457 40df50 HeapFree 6458 4046d6 6457->6458 6459 40df50 HeapFree 6458->6459 6460 4046df 6459->6460 6461 40df50 HeapFree 6460->6461 6462 4043c2 6461->6462 6463 40de80 GetLastError TlsGetValue SetLastError 6462->6463 6463->5624 6465 40dfc0 21 API calls 6464->6465 6466 403597 6465->6466 6467 4051a0 3 API calls 6466->6467 6468 4035a0 6467->6468 6469 405060 2 API calls 6468->6469 6470 4035ac 6469->6470 6471 4035b7 6470->6471 6472 4035db 6470->6472 7338 40de80 GetLastError TlsGetValue SetLastError 6471->7338 6474 4035e5 6472->6474 6475 403608 6472->6475 7340 40de80 GetLastError TlsGetValue SetLastError 6474->7340 6477 403612 6475->6477 6478 40363b 6475->6478 6476 4035bd 7339 40de80 GetLastError TlsGetValue SetLastError 6476->7339 7341 40de80 GetLastError TlsGetValue SetLastError 6477->7341 6482 403645 6478->6482 6483 40366e 6478->6483 7359 40de80 GetLastError TlsGetValue SetLastError 6482->7359 6487 4036a1 6483->6487 6488 403678 6483->6488 6484 4035f1 6490 40e020 4 API calls 6484->6490 6485 4035c5 6495 40a7f5 5 API calls 6485->6495 6486 403618 7342 40de80 GetLastError TlsGetValue SetLastError 6486->7342 6493 4036d4 6487->6493 6494 4036ab 6487->6494 7361 40de80 GetLastError TlsGetValue SetLastError 6488->7361 6492 4035f9 6490->6492 6491 40364b 7360 40de80 GetLastError TlsGetValue SetLastError 6491->7360 6499 40dec0 3 API calls 6492->6499 6504 403707 6493->6504 6505 4036de 6493->6505 7363 40de80 GetLastError TlsGetValue SetLastError 6494->7363 6501 4035cc 6495->6501 6507 4035d6 6499->6507 6511 40dec0 3 API calls 6501->6511 6502 403620 7343 40a83a 6502->7343 6503 40367e 7362 40de80 GetLastError TlsGetValue SetLastError 6503->7362 6509 403711 6504->6509 6510 40373a 6504->6510 7365 40de80 GetLastError TlsGetValue SetLastError 6505->7365 6506 403653 6517 40a83a 17 API calls 6506->6517 7336 40de80 GetLastError TlsGetValue SetLastError 6507->7336 6508 4036b1 7364 40de80 GetLastError TlsGetValue SetLastError 6508->7364 7367 40de80 GetLastError TlsGetValue SetLastError 6509->7367 6515 403744 6510->6515 6516 40376d 6510->6516 6511->6507 7369 40de80 GetLastError TlsGetValue SetLastError 6515->7369 6527 403777 6516->6527 6528 40379d 6516->6528 6524 40365f 6517->6524 6521 403686 6530 40a83a 17 API calls 6521->6530 6522 4036e4 7366 40de80 GetLastError TlsGetValue SetLastError 6522->7366 6537 40dec0 3 API calls 6524->6537 6525 4036b9 6538 40a83a 17 API calls 6525->6538 6526 403717 7368 40de80 GetLastError TlsGetValue SetLastError 6526->7368 7371 40de80 GetLastError TlsGetValue SetLastError 6527->7371 6535 4037f5 6528->6535 6536 4037a7 6528->6536 6529 40dec0 3 API calls 6529->6507 6541 403692 6530->6541 6533 4036ec 6544 40a83a 17 API calls 6533->6544 6534 40374a 7370 40de80 GetLastError TlsGetValue SetLastError 6534->7370 7401 40de80 GetLastError TlsGetValue SetLastError 6535->7401 7373 40de80 GetLastError TlsGetValue SetLastError 6536->7373 6537->6507 6548 4036c5 6538->6548 6551 40dec0 3 API calls 6541->6551 6542 40381f 6543 40e020 4 API calls 6542->6543 6552 403827 6543->6552 6553 4036f8 6544->6553 6557 40dec0 3 API calls 6548->6557 6549 40371f 6558 40a83a 17 API calls 6549->6558 6550 40377d 7372 40de80 GetLastError TlsGetValue SetLastError 6550->7372 6551->6507 7337 405170 TlsGetValue 6552->7337 6561 40dec0 3 API calls 6553->6561 6554 403752 6562 40a83a 17 API calls 6554->6562 6555 4037ad 7374 40de80 GetLastError TlsGetValue SetLastError 6555->7374 6556 4037fb 7402 40de80 GetLastError TlsGetValue SetLastError 6556->7402 6557->6507 6565 40372b 6558->6565 6561->6507 6568 40375e 6562->6568 6571 40dec0 3 API calls 6565->6571 6566 403785 6572 40a83a 17 API calls 6566->6572 6567 40382e 6578 40df50 HeapFree 6567->6578 6574 40dec0 3 API calls 6568->6574 6569 4037b5 7375 409355 6569->7375 6570 403803 6576 40a7f5 5 API calls 6570->6576 6571->6507 6573 403791 6572->6573 6577 40dec0 3 API calls 6573->6577 6574->6507 6580 40380a 6576->6580 6577->6507 6581 403846 6578->6581 6583 40dec0 3 API calls 6580->6583 6584 40df50 HeapFree 6581->6584 6582 40dec0 3 API calls 6585 4037d0 6582->6585 6583->6507 6586 40384e 6584->6586 6587 4037e9 6585->6587 6588 4037dd 6585->6588 6586->5627 6590 401fa9 36 API calls 6587->6590 7398 405532 6588->7398 6591 4037e7 6590->6591 6591->6507 6592->5631 6593->5633 6595 40dfc0 21 API calls 6594->6595 6596 402c04 6595->6596 6597 4051a0 3 API calls 6596->6597 6598 402c0d 6597->6598 6599 405060 2 API calls 6598->6599 6600 402c19 6599->6600 6601 409ba0 RtlAllocateHeap 6600->6601 6602 402c23 GetShortPathNameW 6601->6602 7411 40de80 GetLastError TlsGetValue SetLastError 6602->7411 6604 402c3f 7412 40de80 GetLastError TlsGetValue SetLastError 6604->7412 6606 402c47 6607 409c10 5 API calls 6606->6607 6608 402c57 6607->6608 6609 40dec0 3 API calls 6608->6609 6610 402c61 6609->6610 7413 409b80 RtlFreeHeap 6610->7413 6612 402c6a 7414 40de80 GetLastError TlsGetValue SetLastError 6612->7414 6614 402c74 6615 40e020 4 API calls 6614->6615 6616 402c7c 6615->6616 7415 405170 TlsGetValue 6616->7415 6618 402c83 6619 40df50 HeapFree 6618->6619 6620 402c9a 6619->6620 6621 40df50 HeapFree 6620->6621 6622 402ca3 6621->6622 6623 40e080 TlsGetValue 6622->6623 6623->5637 6624->5639 6626 4098c7 SetEnvironmentVariableW 6625->6626 6627 404434 6625->6627 6626->6627 6627->5642 6629->5645 6630->5653 6632 40dfc0 21 API calls 6631->6632 6633 401e5f 6632->6633 6634 4051a0 3 API calls 6633->6634 6635 401e68 6634->6635 7416 40de80 GetLastError TlsGetValue SetLastError 6635->7416 6637 401e6e 7417 40de80 GetLastError TlsGetValue SetLastError 6637->7417 6639 401e76 6640 409698 7 API calls 6639->6640 6641 401e7d 6640->6641 6642 40dec0 3 API calls 6641->6642 6643 401e87 PathQuoteSpacesW 6642->6643 6644 401ee0 6643->6644 6645 401e97 6643->6645 7486 40de80 GetLastError TlsGetValue SetLastError 6644->7486 7420 40de80 GetLastError TlsGetValue SetLastError 6645->7420 6648 401e9d 7421 4024f1 6648->7421 6649 401ee9 6651 40e020 4 API calls 6649->6651 6653 401ef1 6651->6653 6655 40dec0 3 API calls 6653->6655 6654 40dec0 3 API calls 6656 401eae 6654->6656 6674 401ede 6655->6674 7485 40de80 GetLastError TlsGetValue SetLastError 6656->7485 6659 401eb7 6661 40e020 4 API calls 6659->6661 6660 401f05 6662 40e020 4 API calls 6660->6662 6663 401ebf 6661->6663 6664 401f0d 6662->6664 6665 40e020 4 API calls 6663->6665 7419 405170 TlsGetValue 6664->7419 6667 401eca 6665->6667 6669 40e020 4 API calls 6667->6669 6668 401f14 6670 40df50 HeapFree 6668->6670 6671 401ed4 6669->6671 6673 401f2b 6670->6673 6672 40dec0 3 API calls 6671->6672 6672->6674 6675 40df50 HeapFree 6673->6675 7418 40de80 GetLastError TlsGetValue SetLastError 6674->7418 6676 401f34 6675->6676 6676->5656 6678 40385b 6677->6678 6678->6678 6679 40dfc0 21 API calls 6678->6679 6698 40386d 6679->6698 6680 4038ee 7517 40de80 GetLastError TlsGetValue SetLastError 6680->7517 6682 4038f4 7518 40de80 GetLastError TlsGetValue SetLastError 6682->7518 6684 4038fc 7519 40de80 GetLastError TlsGetValue SetLastError 6684->7519 6686 405dc0 3 API calls 6686->6698 6687 403904 7520 40de80 GetLastError TlsGetValue SetLastError 6687->7520 6688 40dec0 TlsGetValue RtlAllocateHeap HeapReAlloc 6688->6698 6690 40390c 6692 40d100 8 API calls 6690->6692 6691 40de80 GetLastError TlsGetValue SetLastError 6691->6698 6693 40391e 6692->6693 7521 405182 TlsGetValue 6693->7521 6695 403923 6697 405eb0 6 API calls 6695->6697 6696 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 6696->6698 6699 40392b 6697->6699 6698->6680 6698->6686 6698->6688 6698->6691 6698->6696 6700 40dec0 3 API calls 6699->6700 6701 403935 6700->6701 7522 40de80 GetLastError TlsGetValue SetLastError 6701->7522 6703 40393b 7523 40de80 GetLastError TlsGetValue SetLastError 6703->7523 6705 403943 7524 40de80 GetLastError TlsGetValue SetLastError 6705->7524 6707 40394b 7525 40de80 GetLastError TlsGetValue SetLastError 6707->7525 6709 403953 6710 40d100 8 API calls 6709->6710 6711 403965 6710->6711 7526 405182 TlsGetValue 6711->7526 6713 40396a 6714 405eb0 6 API calls 6713->6714 6715 403972 6714->6715 6716 40dec0 3 API calls 6715->6716 6717 40397c 6716->6717 7527 40de80 GetLastError TlsGetValue SetLastError 6717->7527 6719 403982 7528 40de80 GetLastError TlsGetValue SetLastError 6719->7528 6721 40398a 7529 40de80 GetLastError TlsGetValue SetLastError 6721->7529 6723 403992 7530 40de80 GetLastError TlsGetValue SetLastError 6723->7530 6725 40399a 6726 40d100 8 API calls 6725->6726 6727 4039aa 6726->6727 7531 405182 TlsGetValue 6727->7531 6729 4039af 6730 405eb0 6 API calls 6729->6730 6731 4039b7 6730->6731 6732 40dec0 3 API calls 6731->6732 6733 4039c1 6732->6733 7532 40de80 GetLastError TlsGetValue SetLastError 6733->7532 6735 4039c7 7533 40de80 GetLastError TlsGetValue SetLastError 6735->7533 6737 4039cf 7534 40de80 GetLastError TlsGetValue SetLastError 6737->7534 6739 4039d7 7535 40de80 GetLastError TlsGetValue SetLastError 6739->7535 6741 4039df 6742 40d100 8 API calls 6741->6742 6743 4039ef 6742->6743 7536 405182 TlsGetValue 6743->7536 6745 4039f4 6746 405eb0 6 API calls 6745->6746 6747 4039fc 6746->6747 6748 40dec0 3 API calls 6747->6748 6749 403a06 6748->6749 7537 40de80 GetLastError TlsGetValue SetLastError 6749->7537 6751 403a0c 7538 40de80 GetLastError TlsGetValue SetLastError 6751->7538 6753 403a14 7539 40de80 GetLastError TlsGetValue SetLastError 6753->7539 6755 403a1c 7540 40de80 GetLastError TlsGetValue SetLastError 6755->7540 6757 403a24 6758 40d100 8 API calls 6757->6758 6759 403a34 6758->6759 7541 405182 TlsGetValue 6759->7541 6761 403a39 6762 405eb0 6 API calls 6761->6762 6763 403a41 6762->6763 6764 40dec0 3 API calls 6763->6764 6765 403a4b 6764->6765 7542 40de80 GetLastError TlsGetValue SetLastError 6765->7542 6767 403a51 7543 403cd7 6767->7543 6770 4051a0 3 API calls 6771 403a66 6770->6771 7584 40de80 GetLastError TlsGetValue SetLastError 6771->7584 6773 403a6c 6774 403cd7 84 API calls 6773->6774 6775 403a7c 6774->6775 6776 40dec0 3 API calls 6775->6776 6777 403a88 6776->6777 7585 40de80 GetLastError TlsGetValue SetLastError 6777->7585 6779 403a8e 6780 403cd7 84 API calls 6779->6780 6781 403a9e 6780->6781 6782 40dec0 3 API calls 6781->6782 6783 403aa8 6782->6783 7586 40de80 GetLastError TlsGetValue SetLastError 6783->7586 6785 403aae 6786 403cd7 84 API calls 6785->6786 6787 403abe 6786->6787 6788 40dec0 3 API calls 6787->6788 6789 403ac8 6788->6789 7587 40de80 GetLastError TlsGetValue SetLastError 6789->7587 6791 403ace 6792 403cd7 84 API calls 6791->6792 6793 403ade 6792->6793 6794 40dec0 3 API calls 6793->6794 6795 403ae8 6794->6795 7588 40de80 GetLastError TlsGetValue SetLastError 6795->7588 6797 403aee 7589 40de80 GetLastError TlsGetValue SetLastError 6797->7589 6799 403af6 7590 40de80 GetLastError TlsGetValue SetLastError 6799->7590 6801 403afe 6802 402bfa 43 API calls 6801->6802 6803 403b0b 6802->6803 7591 40e080 TlsGetValue 6803->7591 6805 403b10 7592 405182 TlsGetValue 6805->7592 6807 403b1f 7593 406650 6807->7593 6810 40dec0 3 API calls 6811 403b32 6810->6811 7596 40de80 GetLastError TlsGetValue SetLastError 6811->7596 6813 403b38 7597 40de80 GetLastError TlsGetValue SetLastError 6813->7597 6815 403b40 7598 40de80 GetLastError TlsGetValue SetLastError 6815->7598 6817 403b48 6818 402bfa 43 API calls 6817->6818 6819 403b55 6818->6819 7599 40e080 TlsGetValue 6819->7599 6821 403b5a 7600 405182 TlsGetValue 6821->7600 6823 403b69 6824 406650 13 API calls 6823->6824 6825 403b72 6824->6825 6826 40dec0 3 API calls 6825->6826 6827 403b7c 6826->6827 7601 40de80 GetLastError TlsGetValue SetLastError 6827->7601 6829 403b82 7602 40de80 GetLastError TlsGetValue SetLastError 6829->7602 6831 403b8e 6832 40e020 4 API calls 6831->6832 6833 403b96 6832->6833 6834 40e020 4 API calls 6833->6834 6835 403ba1 6834->6835 6836 40e020 4 API calls 6835->6836 6837 403bab 6836->6837 6838 40e020 4 API calls 6837->6838 6839 403bb5 6838->6839 6840 40e020 4 API calls 6839->6840 6841 403bbf 6840->6841 7603 40e080 TlsGetValue 6841->7603 6843 403bc4 7604 405182 TlsGetValue 6843->7604 6845 403bcf 7605 40240c 6845->7605 6848 4051a0 3 API calls 6849 403bdd 6848->6849 6850 40df50 HeapFree 6849->6850 6851 403be8 6850->6851 6852 40df50 HeapFree 6851->6852 6853 403bf1 6852->6853 6854 40df50 HeapFree 6853->6854 6855 403bfa 6854->6855 6856 40df50 HeapFree 6855->6856 6857 403c03 6856->6857 6858 40df50 HeapFree 6857->6858 6859 403c0c 6858->6859 6860 40df50 HeapFree 6859->6860 6861 403c15 6860->6861 6862 40df50 HeapFree 6861->6862 6863 403c1e 6862->6863 6864 40df50 HeapFree 6863->6864 6865 403c27 6864->6865 6866 40df50 HeapFree 6865->6866 6867 403c30 6866->6867 6868 40df50 HeapFree 6867->6868 6869 403c39 6868->6869 6870 40de80 GetLastError TlsGetValue SetLastError 6869->6870 6870->5661 6871->5667 6872->5683 6873->5685 6874->5693 6875->5695 6876->5697 6878 40e260 3 API calls 6877->6878 6879 40a807 GetCurrentDirectoryW 6878->6879 6880 40a817 6879->6880 6925 40e260 3 API calls 6924->6925 6926 405dcb 6925->6926 6926->5533 6928 4054b7 EnterCriticalSection 6927->6928 6929 404502 6927->6929 6930 4054fd 6928->6930 6936 4054cd 6928->6936 6929->5681 6932 40db72 HeapAlloc 6930->6932 6931 4054ce WaitForSingleObject 6933 4054de CloseHandle 6931->6933 6931->6936 6934 405517 LeaveCriticalSection 6932->6934 6935 40db32 HeapFree 6933->6935 6934->6929 6935->6936 6936->6930 6936->6931 6938 40dfc0 21 API calls 6937->6938 6939 402cb7 6938->6939 6940 405060 2 API calls 6939->6940 6941 402cc3 6940->6941 6942 402cf0 6941->6942 7877 40de80 GetLastError TlsGetValue SetLastError 6941->7877 7879 40de80 GetLastError TlsGetValue SetLastError 6942->7879 6945 402cf6 7880 40de80 GetLastError TlsGetValue SetLastError 6945->7880 6946 402cd2 7878 40de80 GetLastError TlsGetValue SetLastError 6946->7878 6949 402cfe 7881 40de80 GetLastError TlsGetValue SetLastError 6949->7881 6950 402cda 6952 409bc0 4 API calls 6950->6952 6954 402ce6 6952->6954 6953 402d06 7882 40de80 GetLastError TlsGetValue SetLastError 6953->7882 6956 40dec0 3 API calls 6954->6956 6956->6942 6957 402d0e 6958 40d100 8 API calls 6957->6958 6959 402d1e 6958->6959 7883 405182 TlsGetValue 6959->7883 6961 402d23 6962 405eb0 6 API calls 6961->6962 6963 402d2b 6962->6963 6964 40dec0 3 API calls 6963->6964 6965 402d35 FindResourceW 6964->6965 6966 402d58 6965->6966 6970 402e04 6965->6970 7052 40e0e0 7002->7052 7006 402bc7 7005->7006 7006->7006 7007 40dfc0 21 API calls 7006->7007 7008 402bd9 GetNativeSystemInfo 7007->7008 7009 402bec 7008->7009 7009->6149 7009->6150 7010->6175 7011->6183 7013 4055c8 7012->7013 7017 4032bd 7012->7017 7013->7017 7058 405553 memset GetModuleHandleW 7013->7058 7016 405606 GetVersionExW 7016->7017 7017->6150 7018->6157 7019->6161 7021 40e260 3 API calls 7020->7021 7022 4032ef 7021->7022 7022->6168 7023->6174 7024->6188 7025->6205 7061 40d498 EnterCriticalSection 7026->7061 7028 40add5 7029 40ae6e 7028->7029 7030 40addf CreateFileW 7028->7030 7029->6215 7031 40ae00 7030->7031 7032 40ae20 7030->7032 7031->7032 7034 40ae0d RtlAllocateHeap 7031->7034 7035 40ae65 7032->7035 7071 40d40a EnterCriticalSection 7032->7071 7034->7032 7035->6215 7037 40a9e9 7036->7037 7038 40a9da 7036->7038 7082 40d459 EnterCriticalSection 7037->7082 7086 40d9f5 7038->7086 7043 40aa2d 7043->6216 7044 40aa19 CloseHandle 7046 40d40a 4 API calls 7044->7046 7046->7043 7047 40aa08 HeapFree 7047->7044 7048->6223 7049->6225 7050->6158 7051->6162 7053 4032a2 7052->7053 7054 40e0ea wcslen HeapAlloc 7052->7054 7053->6145 7056 40e3a0 7054->7056 7057 40e3b0 7056->7057 7057->7053 7059 40558b 7058->7059 7060 40557b GetProcAddress 7058->7060 7059->7016 7059->7017 7060->7059 7062 40d4b2 7061->7062 7063 40d4c7 7061->7063 7064 40db72 HeapAlloc 7062->7064 7065 40d4ec 7063->7065 7066 40d4cc HeapReAlloc 7063->7066 7067 40d4c1 7064->7067 7068 40d501 HeapAlloc 7065->7068 7069 40d4f5 7065->7069 7066->7065 7070 40d51d LeaveCriticalSection 7067->7070 7068->7069 7069->7070 7070->7028 7072 40d441 7071->7072 7073 40d422 7071->7073 7079 40db32 7072->7079 7073->7072 7075 40d427 7073->7075 7077 40d430 memset 7075->7077 7078 40d44d LeaveCriticalSection 7075->7078 7076 40d44b 7076->7078 7077->7078 7078->7035 7080 40db43 HeapFree 7079->7080 7080->7076 7083 40d472 7082->7083 7084 40d47d LeaveCriticalSection 7082->7084 7083->7084 7085 40a9f6 7084->7085 7085->7043 7085->7044 7092 40aa40 7085->7092 7087 40da02 7086->7087 7088 40a9e5 7086->7088 7095 40db1b EnterCriticalSection 7087->7095 7088->6216 7090 40da08 7090->7088 7096 40dac4 7090->7096 7093 40aa54 WriteFile 7092->7093 7094 40aa7c 7092->7094 7093->7047 7094->7047 7095->7090 7098 40dad0 7096->7098 7097 40db14 7097->7090 7098->7097 7099 40db0a LeaveCriticalSection 7098->7099 7099->7097 7101 409ba8 RtlAllocateHeap 7100->7101 7102 409bba 7100->7102 7101->6250 7102->6250 7117 40e7e0 7103->7117 7105 402f24 7105->6254 7107 40dfc0 21 API calls 7106->7107 7108 4026c1 LoadResource SizeofResource 7107->7108 7109 409ba0 RtlAllocateHeap 7108->7109 7110 4026ee 7109->7110 7136 409c80 memcpy 7110->7136 7112 402705 FreeResource 7113 402715 7112->7113 7114 4046ef 7113->7114 7137 409b60 7114->7137 7116 4046f8 7116->6246 7118 40e7f8 __fprintf_l 7117->7118 7120 40e8aa __fprintf_l 7118->7120 7121 40e950 7118->7121 7120->7105 7122 40f3b2 7121->7122 7126 40e960 __fprintf_l 7121->7126 7122->7118 7123 40ef37 7127 40efa4 __fprintf_l 7123->7127 7128 4104f0 7123->7128 7125 40ee4f memcpy 7125->7126 7126->7122 7126->7123 7126->7125 7127->7118 7129 410504 7128->7129 7130 410572 memcpy 7129->7130 7131 41054c memcpy 7129->7131 7133 41051f 7129->7133 7134 410599 memcpy 7130->7134 7135 4105b8 7130->7135 7131->7127 7133->7127 7134->7127 7135->7127 7136->7112 7138 409b68 HeapSize 7137->7138 7139 409b7a 7137->7139 7138->7116 7139->7116 7140->6267 7141->6275 7142->6266 7143->6270 7144->6274 7145->6277 7147 409c29 7146->7147 7148 409c19 7146->7148 7150 40e260 3 API calls 7147->7150 7248 409bc0 7148->7248 7152 409c3f 7150->7152 7254 40e3f0 TlsGetValue 7152->7254 7154 409c68 7154->6281 7155->6285 7255 405f90 7156->7255 7158 402211 7158->6292 7159->6295 7160->6297 7161->6299 7162->6301 7163->6305 7164->6311 7165->6313 7166->6315 7167->6317 7169 40590f 7168->7169 7176 405801 7168->7176 7265 40e340 TlsGetValue 7169->7265 7171 405918 7171->6319 7172 405886 7174 40e1e0 TlsGetValue 7172->7174 7173 405850 wcsncmp 7173->7176 7175 4058c7 7174->7175 7177 4058e9 7175->7177 7264 40e230 TlsGetValue 7175->7264 7176->7172 7176->7173 7179 40e260 3 API calls 7177->7179 7181 4058f0 7179->7181 7180 4058d7 memmove 7180->7177 7182 405901 7181->7182 7183 4058f6 wcsncpy 7181->7183 7182->6319 7183->7182 7184->6321 7185->6323 7186->6325 7187->6329 7188->6331 7266 408e58 7189->7266 7191 408f81 7192 408e58 3 API calls 7191->7192 7193 408f90 7192->7193 7194 408e58 3 API calls 7193->7194 7195 408fa3 7194->7195 7196 408fb0 GetStockObject 7195->7196 7197 408fbd LoadIconW LoadCursorW RegisterClassExW 7195->7197 7196->7197 7270 4094d1 GetForegroundWindow 7197->7270 7202 409047 IsWindowEnabled 7203 40906b 7202->7203 7204 409052 EnableWindow 7202->7204 7205 4094d1 3 API calls 7203->7205 7204->7203 7206 40907e GetSystemMetrics GetSystemMetrics CreateWindowExW 7205->7206 7207 4092ba 7206->7207 7208 4090cb SetWindowLongW CreateWindowExW SendMessageW 7206->7208 7209 4092cd 7207->7209 7284 40e340 TlsGetValue 7207->7284 7210 409125 7208->7210 7211 409128 CreateWindowExW SendMessageW SetFocus 7208->7211 7285 408e9a 7209->7285 7210->7211 7214 4091a5 CreateWindowExW SendMessageW CreateAcceleratorTableW SetForegroundWindow BringWindowToTop 7211->7214 7215 40917b SendMessageW wcslen wcslen SendMessageW 7211->7215 7217 40926a 7214->7217 7215->7214 7219 409273 7217->7219 7220 40922e GetMessageW 7217->7220 7218 408e9a HeapFree 7221 4092df 7218->7221 7223 409277 DestroyAcceleratorTable 7219->7223 7224 40927e 7219->7224 7220->7219 7222 409243 TranslateAcceleratorW 7220->7222 7225 408e9a HeapFree 7221->7225 7222->7217 7226 409254 TranslateMessage DispatchMessageW 7222->7226 7223->7224 7224->7207 7227 409285 wcslen 7224->7227 7228 4022e5 7225->7228 7226->7217 7229 40e260 3 API calls 7227->7229 7228->6334 7230 40929c wcscpy HeapFree 7229->7230 7230->7207 7231->6340 7232->6342 7233->6344 7234->6346 7235->6350 7236->6357 7237->6359 7238->6361 7239->6365 7240->6367 7242 4094d1 3 API calls 7241->7242 7243 408e2d 7242->7243 7244 409588 16 API calls 7243->7244 7245 408e36 MessageBoxW 7244->7245 7246 409588 16 API calls 7245->7246 7247 40239f 7246->7247 7247->6370 7249 409bcd 7248->7249 7250 40e260 3 API calls 7249->7250 7251 409beb 7250->7251 7252 409bf1 memcpy 7251->7252 7253 409bff 7251->7253 7252->7253 7253->6281 7254->7154 7256 405fa1 7255->7256 7257 40e1e0 TlsGetValue 7256->7257 7258 406014 7257->7258 7259 40e260 3 API calls 7258->7259 7260 406022 7259->7260 7262 406032 7260->7262 7263 40e370 TlsGetValue 7260->7263 7262->7158 7263->7262 7264->7180 7265->7171 7267 408e60 wcslen HeapAlloc 7266->7267 7268 408e96 7266->7268 7267->7268 7269 408e86 wcscpy 7267->7269 7268->7191 7269->7191 7271 409032 7270->7271 7272 4094e2 GetWindowThreadProcessId GetCurrentProcessId 7270->7272 7273 409588 7271->7273 7272->7271 7274 409592 EnumWindows 7273->7274 7283 4095dd 7273->7283 7275 40903e 7274->7275 7276 4095af 7274->7276 7288 409507 GetWindowThreadProcessId GetCurrentThreadId 7274->7288 7275->7202 7275->7203 7276->7275 7277 4095b1 GetCurrentThreadId 7276->7277 7280 4095c4 SetWindowPos 7276->7280 7277->7276 7278 4095ea GetCurrentThreadId 7278->7283 7279 409600 EnableWindow 7279->7283 7280->7276 7281 409611 SetWindowPos 7281->7283 7282 40db32 HeapFree 7282->7283 7283->7275 7283->7278 7283->7279 7283->7281 7283->7282 7284->7209 7286 408ea1 HeapFree 7285->7286 7287 408eb3 7285->7287 7286->7287 7287->7218 7289 409525 IsWindowVisible 7288->7289 7290 40957f 7288->7290 7289->7290 7291 409530 7289->7291 7292 40db72 HeapAlloc 7291->7292 7293 40953c GetCurrentThreadId GetWindowLongW 7292->7293 7294 40955a 7293->7294 7295 40955e GetForegroundWindow 7293->7295 7294->7295 7295->7290 7296 409568 IsWindowEnabled 7295->7296 7296->7290 7297 409573 EnableWindow 7296->7297 7297->7290 7298->6380 7299->6383 7301 40e260 3 API calls 7300->7301 7302 40a769 GetTempPathW LoadLibraryW 7301->7302 7303 40a7a4 7302->7303 7304 40a786 GetProcAddress 7302->7304 7326 40e3f0 TlsGetValue 7303->7326 7305 40a796 GetLongPathNameW 7304->7305 7306 40a79d FreeLibrary 7304->7306 7305->7306 7306->7303 7308 401a0d 7308->6387 7309->6391 7310->6394 7327 40a7b9 7311->7327 7314 40a6c5 7315 40a6d4 wcsncpy wcslen 7314->7315 7316 401a6a GetTempFileNameW 7314->7316 7317 40a708 CreateDirectoryW 7315->7317 7319 40de80 GetLastError TlsGetValue SetLastError 7316->7319 7317->7316 7319->6404 7320->6406 7321->6416 7322->6418 7323->6426 7324->6428 7325->6434 7326->7308 7328 40a7c0 7327->7328 7329 401a5f 7327->7329 7330 40a7d6 DeleteFileW 7328->7330 7331 40a7c7 SetFileAttributesW 7328->7331 7329->7314 7330->7329 7331->7330 7332->6445 7334 40a961 SetCurrentDirectoryW 7333->7334 7335 4046cb 7333->7335 7334->7335 7335->6457 7336->6542 7337->6567 7338->6476 7339->6485 7340->6484 7341->6486 7342->6502 7344 40e260 3 API calls 7343->7344 7345 40a84f 7344->7345 7346 40a85e LoadLibraryW 7345->7346 7355 40a8e9 7345->7355 7348 40a8cb 7346->7348 7349 40a86f GetProcAddress 7346->7349 7347 40a91b 7409 40e3f0 TlsGetValue 7347->7409 7353 40a96c 4 API calls 7348->7353 7351 40a8c0 FreeLibrary 7349->7351 7352 40a884 7349->7352 7351->7347 7351->7348 7352->7351 7358 40a896 wcscpy wcscat wcslen CoTaskMemFree 7352->7358 7354 40a8d3 wcscat wcslen 7353->7354 7354->7347 7355->7347 7403 40a96c SHGetFolderLocation 7355->7403 7357 40362c 7357->6529 7358->7351 7359->6491 7360->6506 7361->6503 7362->6521 7363->6508 7364->6525 7365->6522 7366->6533 7367->6526 7368->6549 7369->6534 7370->6554 7371->6550 7372->6566 7373->6555 7374->6569 7376 409368 CoInitialize 7375->7376 7377 409379 memset LoadLibraryW 7375->7377 7376->7377 7378 4093a3 GetProcAddress GetProcAddress 7377->7378 7379 4094ab 7377->7379 7381 4093d2 wcsncpy wcslen 7378->7381 7382 4093cd 7378->7382 7380 40e260 3 API calls 7379->7380 7383 4094b8 7380->7383 7384 409401 7381->7384 7382->7381 7410 40e3f0 TlsGetValue 7383->7410 7385 4094d1 3 API calls 7384->7385 7386 40941f 7385->7386 7388 409588 16 API calls 7386->7388 7390 409442 7388->7390 7389 4037c6 7389->6582 7391 409588 16 API calls 7390->7391 7392 409457 7391->7392 7393 40949f FreeLibrary 7392->7393 7394 40e260 3 API calls 7392->7394 7393->7379 7393->7383 7395 409468 CoTaskMemFree wcslen 7394->7395 7395->7393 7397 409493 7395->7397 7397->7393 7399 40553b timeBeginPeriod 7398->7399 7400 40554d Sleep 7398->7400 7399->7400 7401->6556 7402->6570 7404 40a98b SHGetPathFromIDListW 7403->7404 7405 40a9be 7403->7405 7406 40a9b5 CoTaskMemFree 7404->7406 7407 40a999 wcslen 7404->7407 7405->7347 7406->7405 7407->7406 7408 40a9a6 7407->7408 7408->7406 7409->7357 7410->7389 7411->6604 7412->6606 7413->6612 7414->6614 7415->6618 7416->6637 7417->6639 7418->6660 7419->6668 7420->6648 7422 4024f7 7421->7422 7422->7422 7423 40dfc0 21 API calls 7422->7423 7424 402509 7423->7424 7425 4051a0 3 API calls 7424->7425 7426 402512 7425->7426 7427 402593 7426->7427 7430 40de80 GetLastError TlsGetValue SetLastError 7426->7430 7433 405dc0 3 API calls 7426->7433 7436 40dec0 TlsGetValue RtlAllocateHeap HeapReAlloc 7426->7436 7441 40e020 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7426->7441 7487 40de80 GetLastError TlsGetValue SetLastError 7427->7487 7429 402599 7488 40de80 GetLastError TlsGetValue SetLastError 7429->7488 7430->7426 7432 4025a1 GetCommandLineW 7434 409bc0 4 API calls 7432->7434 7433->7426 7435 4025ae 7434->7435 7437 40dec0 3 API calls 7435->7437 7436->7426 7438 4025b8 7437->7438 7489 40de80 GetLastError TlsGetValue SetLastError 7438->7489 7440 4025c2 7442 40e020 4 API calls 7440->7442 7441->7426 7443 4025ca 7442->7443 7444 40dec0 3 API calls 7443->7444 7445 4025d4 PathRemoveArgsW 7444->7445 7446 4025eb 7445->7446 7447 402651 7446->7447 7490 40de80 GetLastError TlsGetValue SetLastError 7446->7490 7449 4098c0 SetEnvironmentVariableW 7447->7449 7451 40265e 7449->7451 7450 4025fd 7452 40e020 4 API calls 7450->7452 7503 40de80 GetLastError TlsGetValue SetLastError 7451->7503 7454 40260a 7452->7454 7491 40de80 GetLastError TlsGetValue SetLastError 7454->7491 7455 402668 7457 40e020 4 API calls 7455->7457 7459 402670 7457->7459 7458 402610 7492 40de80 GetLastError TlsGetValue SetLastError 7458->7492 7504 405170 TlsGetValue 7459->7504 7462 402618 7493 40de80 GetLastError TlsGetValue SetLastError 7462->7493 7463 402677 7465 40df50 HeapFree 7463->7465 7467 40268f 7465->7467 7466 402620 7494 40de80 GetLastError TlsGetValue SetLastError 7466->7494 7469 40df50 HeapFree 7467->7469 7472 402698 7469->7472 7470 402628 7495 406110 7470->7495 7474 40df50 HeapFree 7472->7474 7473 402639 7502 405182 TlsGetValue 7473->7502 7476 4026a1 7474->7476 7478 40df50 HeapFree 7476->7478 7477 40263e 7479 406060 5 API calls 7477->7479 7480 4026aa 7478->7480 7481 402646 7479->7481 7482 40df50 HeapFree 7480->7482 7483 40dec0 3 API calls 7481->7483 7484 401ea4 7482->7484 7483->7447 7484->6654 7485->6659 7486->6649 7487->7429 7488->7432 7489->7440 7490->7450 7491->7458 7492->7462 7493->7466 7494->7470 7496 406146 7495->7496 7497 406118 7495->7497 7514 40e340 TlsGetValue 7496->7514 7505 406080 7497->7505 7499 40614f 7499->7473 7502->7477 7503->7455 7504->7463 7506 40e1e0 TlsGetValue 7505->7506 7507 40609c 7506->7507 7508 40e260 3 API calls 7507->7508 7509 4060a8 7508->7509 7512 4060b4 7509->7512 7515 40e370 TlsGetValue 7509->7515 7516 40e3f0 TlsGetValue 7512->7516 7513 4060fd 7513->7473 7514->7499 7515->7512 7516->7513 7517->6682 7518->6684 7519->6687 7520->6690 7521->6695 7522->6703 7523->6705 7524->6707 7525->6709 7526->6713 7527->6719 7528->6721 7529->6723 7530->6725 7531->6729 7532->6735 7533->6737 7534->6739 7535->6741 7536->6745 7537->6751 7538->6753 7539->6755 7540->6757 7541->6761 7542->6767 7544 40dfc0 21 API calls 7543->7544 7545 403ce3 7544->7545 7546 4051a0 3 API calls 7545->7546 7547 403cec 7546->7547 7548 405060 2 API calls 7547->7548 7549 403cf8 FindResourceW 7548->7549 7550 403db3 7549->7550 7551 403d1b 7549->7551 7675 40de80 GetLastError TlsGetValue SetLastError 7550->7675 7552 4026b8 26 API calls 7551->7552 7554 403d2a 7552->7554 7556 4046ef HeapSize 7554->7556 7555 403dbd 7557 40e020 4 API calls 7555->7557 7558 403d37 7556->7558 7559 403dc5 7557->7559 7620 4011de 7558->7620 7676 405170 TlsGetValue 7559->7676 7563 403d5a 7644 4046ff 7563->7644 7564 403d7c 7662 40de80 GetLastError TlsGetValue SetLastError 7564->7662 7565 40df50 HeapFree 7568 403de3 7565->7568 7571 40df50 HeapFree 7568->7571 7570 403d82 7663 40de80 GetLastError TlsGetValue SetLastError 7570->7663 7575 403a61 7571->7575 7574 403d8a 7664 409cb0 7574->7664 7575->6770 7576 403d7a 7677 40e0b0 TlsGetValue 7576->7677 7578 403da0 7580 40dec0 3 API calls 7578->7580 7582 403daa 7580->7582 7581 403dcc 7581->7565 7674 409b80 RtlFreeHeap 7582->7674 7584->6773 7585->6779 7586->6785 7587->6791 7588->6797 7589->6799 7590->6801 7591->6805 7592->6807 7753 406310 7593->7753 7596->6813 7597->6815 7598->6817 7599->6821 7600->6823 7601->6829 7602->6831 7603->6843 7604->6845 7606 405060 2 API calls 7605->7606 7607 40241f 7606->7607 7608 405060 2 API calls 7607->7608 7609 40242c 7608->7609 7782 40acb0 7609->7782 7612 402464 7616 40df50 HeapFree 7612->7616 7614 402457 7615 40a9d0 11 API calls 7614->7615 7615->7612 7617 40248b 7616->7617 7618 40df50 HeapFree 7617->7618 7619 402494 7618->7619 7619->6848 7621 4011e6 7620->7621 7621->7621 7622 405060 2 API calls 7621->7622 7623 4011ff 7622->7623 7678 405700 7623->7678 7626 409b60 HeapSize 7627 401214 7626->7627 7628 40dbca 4 API calls 7627->7628 7629 401236 7628->7629 7630 40dbca 4 API calls 7629->7630 7631 401254 7630->7631 7632 40dbca 4 API calls 7631->7632 7633 4014ac 7632->7633 7634 40dbca 4 API calls 7633->7634 7635 4014ca 7634->7635 7685 409b80 RtlFreeHeap 7635->7685 7637 4014d3 7638 40df50 HeapFree 7637->7638 7639 4014e3 7638->7639 7640 40dd1d 2 API calls 7639->7640 7641 4014ed 7640->7641 7642 40dd1d 2 API calls 7641->7642 7643 4014f6 7642->7643 7643->7563 7643->7564 7645 40dfc0 21 API calls 7644->7645 7646 40470d 7645->7646 7647 405060 2 API calls 7646->7647 7648 404719 7647->7648 7649 40472c 7648->7649 7697 40249b 7648->7697 7651 40473d 7649->7651 7686 40acd0 7649->7686 7653 40df50 HeapFree 7651->7653 7654 403d71 7653->7654 7661 409b80 RtlFreeHeap 7654->7661 7655 40474f 7655->7651 7656 40479a 7655->7656 7657 40477d 7655->7657 7659 40a9d0 11 API calls 7656->7659 7706 40afb0 7657->7706 7659->7651 7660 40478f 7660->7656 7661->7576 7662->7570 7663->7574 7665 409cd0 7664->7665 7669 409d28 7664->7669 7666 40e260 3 API calls 7665->7666 7667 409cf9 7666->7667 7752 40e3f0 TlsGetValue 7667->7752 7668 409d83 MultiByteToWideChar 7671 40e260 3 API calls 7668->7671 7669->7668 7673 409da0 MultiByteToWideChar 7671->7673 7672 409d1d 7672->7578 7673->7578 7674->7550 7675->7555 7676->7581 7677->7581 7679 405710 WideCharToMultiByte 7678->7679 7680 40570b 7678->7680 7681 409ba0 RtlAllocateHeap 7679->7681 7680->7679 7682 405730 7681->7682 7683 405736 WideCharToMultiByte 7682->7683 7684 401207 7682->7684 7683->7684 7684->7626 7685->7637 7687 40d498 5 API calls 7686->7687 7688 40ace5 7687->7688 7689 40ad97 7688->7689 7690 40acef CreateFileW 7688->7690 7689->7655 7691 40ad10 CreateFileW 7690->7691 7692 40ad2c 7690->7692 7691->7692 7694 40ad4d 7691->7694 7693 40ad39 HeapAlloc 7692->7693 7692->7694 7693->7694 7695 40d40a 4 API calls 7694->7695 7696 40ad8e 7694->7696 7695->7696 7696->7655 7698 405060 2 API calls 7697->7698 7699 4024ac 7698->7699 7717 40ada0 7699->7717 7702 4024d3 7704 40df50 HeapFree 7702->7704 7703 40a9d0 11 API calls 7703->7702 7705 4024eb 7704->7705 7705->7649 7707 40afc2 7706->7707 7708 40b015 7706->7708 7709 40b00d 7707->7709 7710 40d459 2 API calls 7707->7710 7708->7660 7709->7660 7711 40afda 7710->7711 7712 40b003 7711->7712 7713 40aff2 WriteFile 7711->7713 7714 40afe4 7711->7714 7712->7660 7713->7712 7741 40b020 7714->7741 7716 40afec 7716->7660 7720 40aac0 7717->7720 7719 4024bf 7719->7702 7719->7703 7721 40aad8 7720->7721 7722 40d498 5 API calls 7721->7722 7723 40aaef 7722->7723 7724 40aca2 7723->7724 7725 40ab02 CreateFileW 7723->7725 7726 40ab3e 7723->7726 7724->7719 7733 40abe8 7725->7733 7727 40ab43 7726->7727 7731 40ab7c 7726->7731 7729 40ab5a 7727->7729 7730 40ab5d CreateFileW 7727->7730 7729->7730 7730->7733 7732 40aba7 CreateFileW 7731->7732 7731->7733 7732->7733 7734 40abc9 CreateFileW 7732->7734 7735 40ac22 7733->7735 7736 40ac0e HeapAlloc 7733->7736 7738 40ac70 7733->7738 7734->7733 7735->7738 7739 40ac5c SetFilePointer 7735->7739 7736->7735 7737 40d40a 4 API calls 7737->7724 7738->7737 7740 40ac81 7738->7740 7739->7738 7740->7719 7742 40b127 7741->7742 7743 40b03a 7741->7743 7742->7716 7744 40b040 SetFilePointer 7743->7744 7745 40b06b 7743->7745 7744->7745 7746 40aa40 WriteFile 7745->7746 7749 40b077 7745->7749 7748 40b0ee 7746->7748 7747 40b0a7 7747->7716 7748->7749 7750 40b0f5 WriteFile 7748->7750 7749->7747 7751 40b091 memcpy 7749->7751 7750->7716 7751->7716 7752->7672 7754 40631f 7753->7754 7755 406438 7754->7755 7761 4063ae 7754->7761 7756 40e1e0 TlsGetValue 7755->7756 7757 406442 7756->7757 7758 40645a 7757->7758 7759 40644a _wcsdup 7757->7759 7760 40e1e0 TlsGetValue 7758->7760 7759->7758 7762 406460 7760->7762 7767 4063fc wcsncpy 7761->7767 7769 403b28 7761->7769 7763 406477 7762->7763 7764 406468 _wcsdup 7762->7764 7765 40e1e0 TlsGetValue 7763->7765 7764->7763 7766 406480 7765->7766 7768 406488 _wcsdup 7766->7768 7772 406498 7766->7772 7767->7761 7768->7772 7769->6810 7770 40e260 3 API calls 7771 406520 7770->7771 7773 406572 wcsncpy 7771->7773 7774 406526 7771->7774 7777 40658d 7771->7777 7772->7770 7773->7777 7775 4065e4 7774->7775 7776 4065db free 7774->7776 7778 4065f7 7775->7778 7779 4065eb free 7775->7779 7776->7775 7777->7774 7781 406625 wcsncpy 7777->7781 7778->7769 7780 4065fe free 7778->7780 7779->7778 7780->7769 7781->7777 7783 40aac0 15 API calls 7782->7783 7784 40243f 7783->7784 7784->7612 7785 40af80 7784->7785 7786 40d459 2 API calls 7785->7786 7787 40af8f 7786->7787 7788 40afa3 7787->7788 7791 40ae80 7787->7791 7788->7614 7790 40afa0 7790->7614 7792 40af74 7791->7792 7793 40ae94 7791->7793 7792->7790 7793->7792 7794 40aea8 7793->7794 7795 40af0d 7793->7795 7797 40aee0 7794->7797 7798 40aeb8 7794->7798 7809 40b130 WideCharToMultiByte 7795->7809 7797->7797 7799 40aeeb WriteFile 7797->7799 7802 40b020 4 API calls 7798->7802 7799->7790 7800 40af27 7801 40af6b 7800->7801 7803 40af37 7800->7803 7804 40af48 WriteFile 7800->7804 7801->7790 7805 40aeda 7802->7805 7806 40b020 4 API calls 7803->7806 7807 40af5c HeapFree 7804->7807 7805->7790 7808 40af42 7806->7808 7807->7801 7808->7807 7810 40b155 HeapAlloc 7809->7810 7811 40b18e 7809->7811 7812 40b189 7810->7812 7813 40b16c WideCharToMultiByte 7810->7813 7811->7800 7812->7800 7813->7812 7877->6946 7878->6950 7879->6945 7880->6949 7881->6953 7882->6957 7883->6961 8117->5745 8118->5747 8119->5749 8120->5751 8121->5755 8122->5761 8123->5763 8124->5765 8125->5767 8126->5771 8127->5779 8128->5785 8129->5787 8130->5794 8131->5796 8132->5798 8133->5800 8134->5804 8135->5810 8136->5812 8137->5814 8138->5816 8139->5820 8140->5826 8141->5832 8142->5838 8143->5840 8144->5846 8145->5852 8146 40b020 8147 40b127 8146->8147 8148 40b03a 8146->8148 8149 40b040 SetFilePointer 8148->8149 8150 40b06b 8148->8150 8149->8150 8151 40aa40 WriteFile 8150->8151 8154 40b077 8150->8154 8153 40b0ee 8151->8153 8152 40b0a7 8153->8154 8155 40b0f5 WriteFile 8153->8155 8154->8152 8156 40b091 memcpy 8154->8156 8157 4011bf 8184 405379 EnterCriticalSection 8157->8184 8159 4011c4 8170 409950 SetUnhandledExceptionFilter 8159->8170 8161 4011c9 8171 40a6b5 8161->8171 8167 4011d8 8183 409b30 HeapDestroy 8167->8183 8169 4011dd 8170->8161 8172 4011ce 8171->8172 8173 40a6be 8171->8173 8175 40aa90 8172->8175 8174 40d9f5 2 API calls 8173->8174 8174->8172 8176 40d9f5 2 API calls 8175->8176 8177 4011d3 8176->8177 8178 40d2c4 8177->8178 8179 40d2d1 8178->8179 8180 40d2d2 8178->8180 8179->8167 8181 40d2e7 8180->8181 8182 40d2db TlsFree 8180->8182 8181->8167 8182->8181 8183->8169 8185 4053b2 LeaveCriticalSection 8184->8185 8186 40538f 8184->8186 8185->8159 8187 405390 CloseHandle 8186->8187 8189 4053b1 8186->8189 8188 40db32 HeapFree 8187->8188 8188->8186 8189->8185

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 0040A83A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 91libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 0 40a83a-40a858 call 40e260 3 40a8e9-40a8ec 0->3 4 40a85e-40a86d LoadLibraryW 0->4 5 40a91d-40a92f call 40e3f0 3->5 6 40a8ee 3->6 7 40a8cb-40a8e7 call 40a96c wcscat wcslen 4->7 8 40a86f-40a882 GetProcAddress 4->8 6->5 10 40a901-40a903 6->10 11 40a911 6->11 12 40a914-40a916 call 40a96c 6->12 13 40a8f5-40a8f7 6->13 14 40a905-40a907 6->14 15 40a8f9-40a8fb 6->15 16 40a909-40a90b 6->16 17 40a8fd-40a8ff 6->17 18 40a90d-40a90f 6->18 26 40a91b 7->26 19 40a8c0-40a8c9 FreeLibrary 8->19 20 40a884-40a894 8->20 23 40a913 10->23 11->23 12->26 13->23 14->23 15->23 16->23 17->23 18->23 19->5 19->7 20->19 28 40a896-40a8ba wcscpy wcscat wcslen CoTaskMemFree 20->28 23->12 26->5 28->19
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040E260: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
                                                                                                                                                                                                    • Part of subcall function 0040E260: HeapReAlloc.KERNEL32(03E60000,00000000,?,?), ref: 0040E2C7
                                                                                                                                                                                                  • LoadLibraryW.KERNEL32(Shell32.DLL,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0040A863
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040A875
                                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040A89B
                                                                                                                                                                                                  • wcscat.MSVCRT ref: 0040A8A6
                                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040A8AC
                                                                                                                                                                                                  • CoTaskMemFree.OLE32(?,00000000,00000000,?,03E68F28,00000000,00000000), ref: 0040A8BA
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,004046B8,00000000), ref: 0040A8C1
                                                                                                                                                                                                  • wcscat.MSVCRT ref: 0040A8D9
                                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040A8DF
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeLibrarywcscatwcslen$AddressAllocHeapLoadProcTaskValuewcscpy
                                                                                                                                                                                                  • String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
                                                                                                                                                                                                  • API String ID: 1740785346-287042676
                                                                                                                                                                                                  • Opcode ID: ace73f6e0916171b361586c2bbf184c955ba55397e49a90223a244ca9597bb20
                                                                                                                                                                                                  • Instruction ID: ae609db33c227b916d8c96984f24cc4820d8d1ee700964f601e6ad2a5a3ba7d8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ace73f6e0916171b361586c2bbf184c955ba55397e49a90223a244ca9597bb20
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C821F871344701B6D2303B62EC4EF6F2A78DB91B90F11483BF901B51D2D6BC8A6199AF
                                                                                                                                                                                                  Function 0040195B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7
                                                                                                                                                                                                  • GetTempFileNameW.KERNEL32(?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004043B9), ref: 00401A2A
                                                                                                                                                                                                  • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000), ref: 00401A7F
                                                                                                                                                                                                  • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401AD4
                                                                                                                                                                                                  • PathAddBackslashW.SHLWAPI(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401ADF
                                                                                                                                                                                                  • PathRenameExtensionW.SHLWAPI(?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000), ref: 00401B1E
                                                                                                                                                                                                  • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024), ref: 00401B38
                                                                                                                                                                                                    • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                                                                                                                                                                                    • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                                                                                                                                                                                    • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(03E60000,00000000,?), ref: 0040DEF9
                                                                                                                                                                                                    • Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: HeapReAlloc.KERNEL32(03E60000,00000000,?,?), ref: 0040DF1C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileNameTemp$Value$ErrorHeapLastPath$AllocAllocateBackslashExtensionRenamewcslen
                                                                                                                                                                                                  • String ID: $pA$$pA$$pA$$pA
                                                                                                                                                                                                  • API String ID: 294508876-1531182785
                                                                                                                                                                                                  • Opcode ID: b2a47d3a69da297a5c371819f22778c9ce536ee57489486bc46bcfba792172a4
                                                                                                                                                                                                  • Instruction ID: 28b0c429ac0839269b991b7b7970ea1d3eb295239ca2258b2b80e935eceb64c8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2a47d3a69da297a5c371819f22778c9ce536ee57489486bc46bcfba792172a4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD510AB1514600AED600BBB1EC4297F7B7EEB98319F01883FF544690A2CA3D985D9A6D
                                                                                                                                                                                                  Function 00401000 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040100F
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
                                                                                                                                                                                                  • HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035
                                                                                                                                                                                                    • Part of subcall function 0040DE30: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE3C
                                                                                                                                                                                                    • Part of subcall function 0040DE30: TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE47
                                                                                                                                                                                                    • Part of subcall function 00409B40: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409B49
                                                                                                                                                                                                    • Part of subcall function 00409669: InitializeCriticalSection.KERNEL32(004186D0,00000004,00000004,0040963C,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 00409691
                                                                                                                                                                                                    • Part of subcall function 00408DEE: memset.MSVCRT ref: 00408DFB
                                                                                                                                                                                                    • Part of subcall function 00408DEE: InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
                                                                                                                                                                                                    • Part of subcall function 00408DEE: CoInitialize.OLE32(00000000), ref: 00408E1D
                                                                                                                                                                                                    • Part of subcall function 004053BB: InitializeCriticalSection.KERNEL32(004186A8,0040107B,00000000,00001000,00000000,00000000), ref: 004053C0
                                                                                                                                                                                                  • GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A
                                                                                                                                                                                                    • Part of subcall function 00409DE0: HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409DFF
                                                                                                                                                                                                    • Part of subcall function 00409DE0: HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E25
                                                                                                                                                                                                    • Part of subcall function 00409DE0: HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E82
                                                                                                                                                                                                    • Part of subcall function 0040A3DA: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040A418
                                                                                                                                                                                                    • Part of subcall function 0040A3DA: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A431
                                                                                                                                                                                                    • Part of subcall function 0040A3DA: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A43B
                                                                                                                                                                                                    • Part of subcall function 0040A348: HeapAlloc.KERNEL32(00000000,00000034,?,?,?,004010E9,00000008,00000000,00417078,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A35B
                                                                                                                                                                                                    • Part of subcall function 0040A348: HeapAlloc.KERNEL32(FFFFFFF5,00000008,?,?,?,004010E9,00000008,00000000,00417078,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A370
                                                                                                                                                                                                    • Part of subcall function 0040DBCA: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 0040DBFA
                                                                                                                                                                                                    • Part of subcall function 0040DBCA: memset.MSVCRT ref: 0040DC35
                                                                                                                                                                                                    • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                                                                                                                                                                                    • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                                                                                                                                                                                    • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(03E60000,00000000,?), ref: 0040DEF9
                                                                                                                                                                                                    • Part of subcall function 00401B8F: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048,00000000), ref: 00401BCD
                                                                                                                                                                                                    • Part of subcall function 00401B8F: EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BEA
                                                                                                                                                                                                    • Part of subcall function 00401B8F: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048), ref: 00401BF2
                                                                                                                                                                                                  • ExitProcess.KERNEL32(00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 004011A5
                                                                                                                                                                                                  • HeapDestroy.KERNEL32(00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 004011B5
                                                                                                                                                                                                  • ExitProcess.KERNEL32(00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 004011BA
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$Alloc$Free$CreateInitializememset$AllocateCriticalErrorExitHandleLastLibraryProcessSectionValue$CommonControlsDestroyEnumInitLoadModuleResourceTypes
                                                                                                                                                                                                  • String ID: .pA$:pA
                                                                                                                                                                                                  • API String ID: 3272620648-1142403416
                                                                                                                                                                                                  • Opcode ID: ac8069178e07c3be09e84eff8c8cd438db0b746c7fd6a81f034ea195ce4f99b6
                                                                                                                                                                                                  • Instruction ID: 59fd392a0a4490bdbbe753bcbaae00d60dcbf108960a32b110b84fea6de29b28
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ac8069178e07c3be09e84eff8c8cd438db0b746c7fd6a81f034ea195ce4f99b6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C313070A80704A9D210B7F29D43F9E3A25AB1874DF51843FB644790E3CEBC55489A6F
                                                                                                                                                                                                  Function 0040A756 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040E260: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
                                                                                                                                                                                                    • Part of subcall function 0040E260: HeapReAlloc.KERNEL32(03E60000,00000000,?,?), ref: 0040E2C7
                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040A76D
                                                                                                                                                                                                  • LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A77A
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A78C
                                                                                                                                                                                                  • GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040A799
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A79E
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
                                                                                                                                                                                                  • String ID: GetLongPathNameW$Kernel32.DLL
                                                                                                                                                                                                  • API String ID: 820969696-2943376620
                                                                                                                                                                                                  • Opcode ID: b8ec294df8f0a0b8a7015009ae644d8128c9ee2ea3c72b3c91f3911898e9698a
                                                                                                                                                                                                  • Instruction ID: 045e3bd93f30ce5257affd3ba06db84d60efd2c3f80f990f00f7183b84a9fd71
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b8ec294df8f0a0b8a7015009ae644d8128c9ee2ea3c72b3c91f3911898e9698a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C0F0BE722052147FC2212BBAAC4CDAB3E7CDE96752700413AF905E2252EA79881082BD
                                                                                                                                                                                                  Function 0040AAC0 Relevance: 9.2, APIs: 6, Instructions: 157filememoryCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 183 40aac0-40aad6 184 40aae0-40aaf3 call 40d498 183->184 185 40aad8 183->185 188 40aca2-40acab 184->188 189 40aaf9-40ab00 184->189 185->184 190 40ab02-40ab0a 189->190 191 40ab3e-40ab41 189->191 192 40ab11-40ab17 190->192 193 40ab0c 190->193 194 40ab43-40ab4b 191->194 195 40ab7c-40ab7f 191->195 200 40ab19 192->200 201 40ab1c-40ab39 CreateFileW 192->201 193->192 196 40ab52-40ab58 194->196 197 40ab4d 194->197 198 40ab81-40ab8d 195->198 199 40abe8 195->199 202 40ab5a 196->202 203 40ab5d-40ab7a CreateFileW 196->203 197->196 204 40ab98-40ab9e 198->204 205 40ab8f-40ab94 198->205 206 40abec-40abef 199->206 200->201 201->206 202->203 203->206 207 40aba0-40aba3 204->207 208 40aba7-40abc7 CreateFileW 204->208 205->204 209 40abf5-40abf7 206->209 210 40ac8b 206->210 207->208 208->209 211 40abc9-40abe6 CreateFileW 208->211 209->210 213 40abfd-40ac04 209->213 212 40ac8f-40ac92 210->212 211->206 214 40ac94 212->214 215 40ac96-40ac9d call 40d40a 212->215 216 40ac22 213->216 217 40ac06-40ac0c 213->217 214->215 215->188 219 40ac25-40ac52 216->219 217->216 218 40ac0e-40ac20 HeapAlloc 217->218 218->219 221 40ac70-40ac79 219->221 222 40ac54-40ac5a 219->222 224 40ac7b 221->224 225 40ac7d-40ac7f 221->225 222->221 223 40ac5c-40ac6a SetFilePointer 222->223 223->221 224->225 225->212 226 40ac81-40ac8a 225->226
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,00000001,00000000), ref: 0040AB31
                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,00000001,00000000), ref: 0040AB72
                                                                                                                                                                                                  • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00000001,00000000), ref: 0040ABBC
                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,00000001,00000000), ref: 0040ABDE
                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,00001000,?,?,?,?,00000001,00000000), ref: 0040AC17
                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040AC6A
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$Create$AllocHeapPointer
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 4207849991-0
                                                                                                                                                                                                  • Opcode ID: b3501de1549189c44e7e631b90cb851d7740b4e923cfc5c59c52eca9f0755e35
                                                                                                                                                                                                  • Instruction ID: b1ded5e7b3c1179952fb066da43177db28dec5f90817629197f40925782b5e59
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b3501de1549189c44e7e631b90cb851d7740b4e923cfc5c59c52eca9f0755e35
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F51C0712483006BE3218F19DD44B6B7BF6EB44764F204A3AFA51A73E0D678EC55874A
                                                                                                                                                                                                  Function 0040D819 Relevance: 7.6, APIs: 5, Instructions: 106memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 227 40d819-40d838 228 40d83a-40d83c 227->228 229 40d83e-40d840 227->229 228->229 230 40d8f2-40d905 RtlAllocateHeap 229->230 231 40d846-40d869 call 40da43 EnterCriticalSection 229->231 233 40d907-40d925 230->233 234 40d93d-40d943 230->234 238 40d877-40d879 231->238 236 40d930-40d937 InitializeCriticalSection 233->236 237 40d927-40d929 233->237 236->234 237->236 239 40d92b-40d92e 237->239 240 40d86b-40d86e 238->240 241 40d87b 238->241 239->234 242 40d870-40d873 240->242 243 40d875 240->243 244 40d887-40d89b HeapAlloc 241->244 242->243 245 40d87d-40d885 242->245 243->238 246 40d8e5-40d8f0 LeaveCriticalSection 244->246 247 40d89d-40d8b8 call 40d819 244->247 245->244 245->246 246->234 247->246 250 40d8ba-40d8da 247->250 251 40d8dc 250->251 252 40d8df 250->252 251->252 252->246
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00418624,0041861C,0040D9E2,00000000,FFFFFFED,00000200,77515E70,00409E76,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D85A
                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,00000018,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040D891
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00418624,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D8EA
                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,00000038,00000000,FFFFFFED,00000200,77515E70,00409E76,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D8FB
                                                                                                                                                                                                  • InitializeCriticalSection.KERNEL32(00000020,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D937
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$Heap$AllocAllocateEnterInitializeLeave
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1272335518-0
                                                                                                                                                                                                  • Opcode ID: f6530bd1139fc1308a1eb69ae95df56e95dab55b3f4bf4e911806d1cb07516e8
                                                                                                                                                                                                  • Instruction ID: b7a84fb5e76b6252515cea3da09f74f38e7866411a6d0cfbb28ace0a8fd55691
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f6530bd1139fc1308a1eb69ae95df56e95dab55b3f4bf4e911806d1cb07516e8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B31AEB2E007069FC3209F95D844A56BBF5FB44714B15C67EE465A77A0CB38E908CF98
                                                                                                                                                                                                  Function 0040A96C Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 253 40a96c-40a989 SHGetFolderLocation 254 40a98b-40a997 SHGetPathFromIDListW 253->254 255 40a9be-40a9cb 253->255 256 40a9b5-40a9b8 CoTaskMemFree 254->256 257 40a999-40a9a4 wcslen 254->257 256->255 257->256 258 40a9a6-40a9ae 257->258 258->256 259 40a9b0-40a9b4 258->259 259->256
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SHGetFolderLocation.SHELL32(00000000,03E68F28,00000000,00000000,00000000,00000000,00000000,?,00000104,0040A91B,00000000,00000000,00000104,?), ref: 0040A97E
                                                                                                                                                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040A98F
                                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040A99A
                                                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000,?,00000104,0040A91B,00000000,00000000,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000), ref: 0040A9B8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FolderFreeFromListLocationPathTaskwcslen
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 4012708801-0
                                                                                                                                                                                                  • Opcode ID: 19b4b104c0b63c733be71c6c9fc4bbe8097ebb7fbe2648ca0bea1f237fe466b4
                                                                                                                                                                                                  • Instruction ID: 15676ea375ba95ce47a4ad1d62f3a4f85f84cc5ccd71b7d74cdbb22097095955
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 19b4b104c0b63c733be71c6c9fc4bbe8097ebb7fbe2648ca0bea1f237fe466b4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51F0D136610614BAC7205B6ADD08DAB7B78EF06660B414126F805E6250E7308920C7E5
                                                                                                                                                                                                  Function 00402022 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 260 402022-402024 261 402029-402034 260->261 261->261 262 402036-4020ac call 40dfc0 call 405060 * 3 ShellExecuteExW 261->262 271 4020b0-4020cd call 405532 GetExitCodeProcess 262->271 274 4020dd 271->274 275 4020cf-4020d9 271->275 274->271 275->274 276 4020db-402106 call 40df50 * 3 275->276
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 004020A7
                                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 004020C6
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CodeExecuteExitProcessShell
                                                                                                                                                                                                  • String ID: open
                                                                                                                                                                                                  • API String ID: 1016612177-2758837156
                                                                                                                                                                                                  • Opcode ID: 4fb2f0ec770fda151a68555488377ed97fba283763a87ea546f97f21bf454217
                                                                                                                                                                                                  • Instruction ID: 2b8263a944a9b57d4591781c670f1b736d97a98816e9e989756960c1ab26e777
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4fb2f0ec770fda151a68555488377ed97fba283763a87ea546f97f21bf454217
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66219D71008309AFD700EF54C855A9FBBE8EF44304F10882EF299E2291DB79D909CF96
                                                                                                                                                                                                  Function 00401B8F Relevance: 4.7, APIs: 3, Instructions: 233libraryCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7
                                                                                                                                                                                                    • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                                                                                                                                                                                    • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                                                                                                                                                                                    • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                                                                                                                                                                                    • Part of subcall function 00409698: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
                                                                                                                                                                                                    • Part of subcall function 00409698: wcscmp.MSVCRT ref: 004096C2
                                                                                                                                                                                                    • Part of subcall function 00409698: memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 004096DA
                                                                                                                                                                                                    • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048,00000000), ref: 00401BCD
                                                                                                                                                                                                  • EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BEA
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00418048), ref: 00401BF2
                                                                                                                                                                                                    • Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(03E60000,00000000,?), ref: 0040DEF9
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 983379767-0
                                                                                                                                                                                                  • Opcode ID: b37687816f17cc606034eac6666f7345c61d1d3c86ba26d654f45f3f54732b4c
                                                                                                                                                                                                  • Instruction ID: 657320b8a0b9e8c73ad23a805e8a4a11547555e009ba7fb8d64ba55fc2021fd8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b37687816f17cc606034eac6666f7345c61d1d3c86ba26d654f45f3f54732b4c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22514AB59047007AE2007BB2DD82E7F66AEDBD4709F10893FF944790D2C93C984996AE
                                                                                                                                                                                                  Function 0040B020 Relevance: 4.6, APIs: 3, Instructions: 102COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 429 40b020-40b034 430 40b127-40b12d 429->430 431 40b03a-40b03e 429->431 432 40b040-40b068 SetFilePointer 431->432 433 40b06b-40b075 431->433 432->433 434 40b077-40b082 433->434 435 40b0e8-40b0f3 call 40aa40 433->435 437 40b0d3-40b0e5 434->437 438 40b084-40b085 434->438 442 40b115-40b122 435->442 443 40b0f5-40b112 WriteFile 435->443 440 40b087-40b08a 438->440 441 40b0bc-40b0d0 438->441 444 40b0a7-40b0b9 440->444 445 40b08c-40b08d 440->445 446 40b091-40b0a4 memcpy 442->446 445->446
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040B058
                                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,?,00000001), ref: 0040B092
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FilePointermemcpy
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1104741977-0
                                                                                                                                                                                                  • Opcode ID: 01662b736399dd0210b3166c1eac24a2b1f7f8f1802043f53fe0b6834fe756e1
                                                                                                                                                                                                  • Instruction ID: 223037c69186752c1411635bf46ae5d03fa463101b4e1ddb65380de8071f5603
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 01662b736399dd0210b3166c1eac24a2b1f7f8f1802043f53fe0b6834fe756e1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 93313A392047019FC320DF29D844E5BB7E1EFD4314F04882EE59A97750D335E919CBA6
                                                                                                                                                                                                  Function 0040ACD0 Relevance: 4.6, APIs: 3, Instructions: 76filememoryCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 447 40acd0-40ace9 call 40d498 450 40ad97-40ad9c 447->450 451 40acef-40ad0e CreateFileW 447->451 452 40ad10-40ad2a CreateFileW 451->452 453 40ad2c-40ad2e 451->453 452->453 454 40ad7b-40ad7e 452->454 453->454 455 40ad30-40ad37 453->455 458 40ad80 454->458 459 40ad82-40ad89 call 40d40a 454->459 456 40ad39-40ad4b HeapAlloc 455->456 457 40ad4d 455->457 460 40ad50-40ad73 456->460 457->460 458->459 464 40ad8e-40ad94 459->464 462 40ad75 460->462 463 40ad77-40ad79 460->463 462->463 463->454 463->464
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040D498: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D4A3
                                                                                                                                                                                                    • Part of subcall function 0040D498: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D51E
                                                                                                                                                                                                  • CreateFileW.KERNELBASE(00000001,C0000000,00000000,00000000,00000002,00000080,00000000,00000001,00000000,?,?,?,0040474F,FFFFFFFF,?,00000000), ref: 0040AD03
                                                                                                                                                                                                  • CreateFileW.KERNELBASE(00000001,40000000,00000000,00000000,00000005,00000000,00000000,?,?,?,0040474F,FFFFFFFF,?,00000000,00000000,00000000), ref: 0040AD1F
                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,00001000,?,?,?,0040474F,FFFFFFFF,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00403D71), ref: 0040AD42
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateCriticalFileSection$AllocEnterHeapLeave
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 49537883-0
                                                                                                                                                                                                  • Opcode ID: 77a3a4dc96fe71d80ff8b98f2eb07c8599513133427dfd39a94d0ded6d6483c5
                                                                                                                                                                                                  • Instruction ID: 17b7462b81454ce18d37354b8f3c370ec8805b9b61ac808ea8b7cd238551b505
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 77a3a4dc96fe71d80ff8b98f2eb07c8599513133427dfd39a94d0ded6d6483c5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 58219F312007006BC3305F1A9C48F57BFFAEFC5765F10863EF5A5A2AE0D63598158B69
                                                                                                                                                                                                  Function 0040DEC0 Relevance: 4.6, APIs: 3, Instructions: 53memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 465 40dec0-40dee7 TlsGetValue 466 40df06-40df25 HeapReAlloc 465->466 467 40dee9-40df04 RtlAllocateHeap 465->467 468 40df27-40df4d call 40e3a0 466->468 467->468
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(03E60000,00000000,?), ref: 0040DEF9
                                                                                                                                                                                                  • HeapReAlloc.KERNEL32(03E60000,00000000,?,?), ref: 0040DF1C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$AllocAllocateValue
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1566162415-0
                                                                                                                                                                                                  • Opcode ID: 391403ca008f830686c32838620f38fbd141f2e22e04a7bef1baef16fc724d55
                                                                                                                                                                                                  • Instruction ID: 93a72ebc0765164a1c418c05f64e83f02c193a946cd328b9657e87a1490d81f0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 391403ca008f830686c32838620f38fbd141f2e22e04a7bef1baef16fc724d55
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F111B974A00208EFCB04DF98D894E9ABBB6FF88314F20C159F9099B355D735AA41DB94
                                                                                                                                                                                                  Function 0040A6C5 Relevance: 4.5, APIs: 3, Instructions: 41COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 471 40a6c5-40a6d2 472 40a6d4-40a706 wcsncpy wcslen 471->472 473 40a73d 471->473 474 40a71e-40a726 472->474 475 40a73f-40a742 473->475 476 40a708-40a70f 474->476 477 40a728-40a73b CreateDirectoryW 474->477 478 40a711-40a714 476->478 479 40a71b 476->479 477->475 478->479 480 40a716-40a719 478->480 479->474 480->477 480->479
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateDirectorywcslenwcsncpy
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 961886536-0
                                                                                                                                                                                                  • Opcode ID: cc8a7ec8d54b194b434c4abf9ee5240936a68a416eca0cc9abdb5220f9513762
                                                                                                                                                                                                  • Instruction ID: 5eb92d4f139d310a1ce384b3b75a423d404f976685da56e70024377017fd7883
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc8a7ec8d54b194b434c4abf9ee5240936a68a416eca0cc9abdb5220f9513762
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E0167B180131896CB24DB64CC8DEBA73B8DF04304F6086BBE415E71D1E779DAA4DB5A
                                                                                                                                                                                                  Function 00408DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 481 408dee-408e26 memset InitCommonControlsEx CoInitialize
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 00408DFB
                                                                                                                                                                                                  • InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
                                                                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00408E1D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CommonControlsInitInitializememset
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2179856907-0
                                                                                                                                                                                                  • Opcode ID: 91c7401402fa2f0ea5928b71181181df8ef358baa4c0a6ad788b24867e7e8746
                                                                                                                                                                                                  • Instruction ID: d18f3e268914b4fee2ab689e9e6bda8f6ab82eec5aee9dd7765ec6ce908ab83c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 91c7401402fa2f0ea5928b71181181df8ef358baa4c0a6ad788b24867e7e8746
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 12E08CB088430CBBEB009BD0DC0EF8DBB7CEB00315F0041A4F904A2280EBB466488B95
                                                                                                                                                                                                  Function 004098C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 482 4098c0-4098c5 483 4098c7-4098cd 482->483 484 4098df 482->484 485 4098d4-4098d9 SetEnvironmentVariableW 483->485 486 4098cf 483->486 485->484 486->485
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetEnvironmentVariableW.KERNELBASE(03E68F28,03E68F28,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004098D9
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: EnvironmentVariable
                                                                                                                                                                                                  • String ID: $0A
                                                                                                                                                                                                  • API String ID: 1431749950-513306843
                                                                                                                                                                                                  • Opcode ID: 1c567db1f8ae5e831e25467e71350c4bb5df89e506d1786ab4261c5f7a60237e
                                                                                                                                                                                                  • Instruction ID: a83057451cf148fd94e5dae0918d05dd15dd477b401c26288c9a060c20ad275f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c567db1f8ae5e831e25467e71350c4bb5df89e506d1786ab4261c5f7a60237e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7C01231619201BBD710EA14C904B57BBE5EB50345F04C439B044912B0C338CC44D705
                                                                                                                                                                                                  Function 0040ADC0 Relevance: 3.1, APIs: 2, Instructions: 65memoryfileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040D498: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D4A3
                                                                                                                                                                                                    • Part of subcall function 0040D498: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D51E
                                                                                                                                                                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000), ref: 0040ADF3
                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,00001000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040AE15
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$AllocateCreateEnterFileHeapLeave
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2608263337-0
                                                                                                                                                                                                  • Opcode ID: e305dac00e43d1f01632c500e63f0068ba79cd60e0177f680cb6723e5d67acda
                                                                                                                                                                                                  • Instruction ID: 12139a0eb1477c71ece9156acb4b07c5ee84e209973367f4cf7a68f803bf58ce
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e305dac00e43d1f01632c500e63f0068ba79cd60e0177f680cb6723e5d67acda
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C1119331140300ABC2305F1AEC44B57BBF9EB85764F14863EF5A5A73E0C7759C158BA9
                                                                                                                                                                                                  Function 0040DBCA Relevance: 3.1, APIs: 2, Instructions: 61memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040DD1D: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040DBDB,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417080,00418098,00000004), ref: 0040DD5E
                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070), ref: 0040DBFA
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040DC35
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$AllocateFreememset
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2774703448-0
                                                                                                                                                                                                  • Opcode ID: 5a98dcc60eb41190d4dd3f8e51887e861c9e07386c3483abd70395c86239bf10
                                                                                                                                                                                                  • Instruction ID: c1bdd2e89517895a38d7a8cc2bcc280f97e8981c2924b00dcd90f9207400bfe8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a98dcc60eb41190d4dd3f8e51887e861c9e07386c3483abd70395c86239bf10
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E51167729043149BC320DF59DC80A8BBBE8EF88B10F01492EB988A7351D774E804CBA5
                                                                                                                                                                                                  Function 00401FA9 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7
                                                                                                                                                                                                  • RemoveDirectoryW.KERNEL32(00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 00402000
                                                                                                                                                                                                  • RemoveDirectoryW.KERNEL32(00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 0040200B
                                                                                                                                                                                                    • Part of subcall function 004053C7: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000), ref: 004053D7
                                                                                                                                                                                                    • Part of subcall function 00405436: TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405446
                                                                                                                                                                                                    • Part of subcall function 00405436: EnterCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405452
                                                                                                                                                                                                    • Part of subcall function 00405436: LeaveCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405486
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalDirectoryRemoveSection$EnterLeaveObjectSingleTerminateThreadValueWait
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1205394408-0
                                                                                                                                                                                                  • Opcode ID: cbf9c02a299cce853fa8afa1118c476f8ea06bf817103c663cdc69cc5dfa62d5
                                                                                                                                                                                                  • Instruction ID: f8114c552bbb016f0a76c43bd4124e9f0fb198a1ce0b642fe03d48e839951556
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cbf9c02a299cce853fa8afa1118c476f8ea06bf817103c663cdc69cc5dfa62d5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 36F0C030414505AADA257B32EC8299A7E36EB08308B42C43FF440714F2CF3E9D69AE5D
                                                                                                                                                                                                  Function 0040DE30 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE3C
                                                                                                                                                                                                  • TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DE47
                                                                                                                                                                                                    • Part of subcall function 0040E6A0: HeapAlloc.KERNEL32(03E60000,00000000,0000000C,?,?,0040DE57,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E6AE
                                                                                                                                                                                                    • Part of subcall function 0040E6A0: HeapAlloc.KERNEL32(03E60000,00000000,00000010,?,?,0040DE57,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E6C2
                                                                                                                                                                                                    • Part of subcall function 0040E6A0: TlsSetValue.KERNEL32(0000000D,00000000,?,?,0040DE57,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E6EB
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AllocHeap$CreateValue
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 493873155-0
                                                                                                                                                                                                  • Opcode ID: f31918e335419563cb91e7816fe34751be6fcb3fb2708b1ef5dadcb8cb13decf
                                                                                                                                                                                                  • Instruction ID: f6fb69b35e6ce2edff263c55ffd8902d3e18a9f91630c6f11d167ca4d15ccc07
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f31918e335419563cb91e7816fe34751be6fcb3fb2708b1ef5dadcb8cb13decf
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4ED012309C8304ABE7402FB1BC0A7843B789708765F604835F509572D1D9BA6090495C
                                                                                                                                                                                                  Function 0040A7B9 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000002,00000080,0040A7F2,03E68F28,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000), ref: 0040A7D0
                                                                                                                                                                                                  • DeleteFileW.KERNELBASE(00000000,0040A7F2,03E68F28,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040A7DA
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$AttributesDelete
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2910425767-0
                                                                                                                                                                                                  • Opcode ID: d362f7088f03a7c0c281f2bbae1f9f88548ac7f83f4d98d140da13098a0d0c91
                                                                                                                                                                                                  • Instruction ID: f7dd43ce8ab679ab9acf2fbd66ade7664d9bbbd5be98dbe0a51a073a4b2bc51f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d362f7088f03a7c0c281f2bbae1f9f88548ac7f83f4d98d140da13098a0d0c91
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 00D09E30408300B6D7555B20C90D75ABAF17F84745F14C43AF485514F1D7798C65E70A
                                                                                                                                                                                                  Function 0040DE60 Relevance: 3.0, APIs: 2, Instructions: 10memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • HeapDestroy.KERNELBASE(03E60000,?,004011AF,00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098), ref: 0040DE69
                                                                                                                                                                                                  • TlsFree.KERNELBASE(0000000D,?,004011AF,00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098), ref: 0040DE76
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DestroyFreeHeap
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3293292866-0
                                                                                                                                                                                                  • Opcode ID: e1e86a498c82862297bb4ba2eeef0c9791047cff053e7cc11c8159107c07dceb
                                                                                                                                                                                                  • Instruction ID: 39e23e6c0b6f630abd0a78494d594864f6bb0b6a3747c7bb50b876903a384421
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e1e86a498c82862297bb4ba2eeef0c9791047cff053e7cc11c8159107c07dceb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 94C04C71158304ABCB049BA5FC488D57BBDE74C6153408564F51983661CA36E4408B58
                                                                                                                                                                                                  Function 0040A9D0 Relevance: 2.5, APIs: 2, Instructions: 31memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000), ref: 0040AA13
                                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040AA1B
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseFreeHandleHeap
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1642312469-0
                                                                                                                                                                                                  • Opcode ID: 579ea7bb730054d1301fd9c1686cb7efab9d423d292c410d1af4f5f5553bf1d6
                                                                                                                                                                                                  • Instruction ID: 9ff7f62518d4b0577bac71a3516b051fbd3d19e36237879e48dc57cbe5217eec
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 579ea7bb730054d1301fd9c1686cb7efab9d423d292c410d1af4f5f5553bf1d6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E0F05E32600200A7CA216B5AED05A8BBBB2EB85764B11853EF124314F5CB355860DB5D
                                                                                                                                                                                                  Function 00402BFA Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7
                                                                                                                                                                                                    • Part of subcall function 00409BA0: RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409BB1
                                                                                                                                                                                                  • GetShortPathNameW.KERNEL32(03E68F28,03E68F28,00002710), ref: 00402C34
                                                                                                                                                                                                    • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                                                                                                                                                                                    • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                                                                                                                                                                                    • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(03E60000,00000000,?), ref: 0040DEF9
                                                                                                                                                                                                    • Part of subcall function 00409B80: RtlFreeHeap.NTDLL(00000000,00000000,00401B6B,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00409B8C
                                                                                                                                                                                                    • Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037
                                                                                                                                                                                                    • Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178
                                                                                                                                                                                                    • Part of subcall function 0040DF50: HeapFree.KERNEL32(03E60000,00000000,00000000,?,00000000,?,00411DE4,00000000,00000000,-00000008), ref: 0040DF68
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: HeapValue$AllocateErrorFreeLast$NamePathShortwcslen
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 192546213-0
                                                                                                                                                                                                  • Opcode ID: ca63e28edb65d09aa83a763c2c973857ba26332a75e22bb73e73c32b30bb97a9
                                                                                                                                                                                                  • Instruction ID: 7a2999830b1481a9d7ef80217fec4737815e267699ad494388d5f61b71452053
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ca63e28edb65d09aa83a763c2c973857ba26332a75e22bb73e73c32b30bb97a9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6012D75508201BAE5007BA1DD06D3F76A9EFD0718F10CD3EB944B50E2CA3D9C599A5E
                                                                                                                                                                                                  Function 0040AA40 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040AA08,00000000,00000000,?,?,004033E8,00000000,00000000,00000800), ref: 0040AA67
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                                                                                  • Opcode ID: da5ca93210413f8561433c219da2a3ea233fc89f057aa1d005b42788aa018882
                                                                                                                                                                                                  • Instruction ID: b59f1f917ceac4f5cea587e7357412edb8aff685aadda2d04846933fd6210d73
                                                                                                                                                                                                  • Opcode Fuzzy Hash: da5ca93210413f8561433c219da2a3ea233fc89f057aa1d005b42788aa018882
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0AF09276105700AFD720DF58D948F97BBE8EB58721F10C82EE69AD3690C770E850DB61
                                                                                                                                                                                                  Function 00402BC1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402BDD
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: InfoNativeSystem
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1721193555-0
                                                                                                                                                                                                  • Opcode ID: f8bc963d6c34cd4fcee6a9003d89fae8e3dd4710dd3c612eeb78866044324f60
                                                                                                                                                                                                  • Instruction ID: e96e1892c4c724b03879bd5233d00e0abab71770c233aa8573b83279bd435b66
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f8bc963d6c34cd4fcee6a9003d89fae8e3dd4710dd3c612eeb78866044324f60
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E6D0126081824986D750BE65850979BB3ECE700304F60883AD085561C1F7BCE9D99657
                                                                                                                                                                                                  Function 00409BA0 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409BB1
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                  • Opcode ID: a9125dc5e6675f3a5c8ff565d637a643d225863b8cf5efdab1d921be1d17f71e
                                                                                                                                                                                                  • Instruction ID: 6d87291edcf2eeb8e990bf82b01346f6326b2aefffcea0088477b931f0527044
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a9125dc5e6675f3a5c8ff565d637a643d225863b8cf5efdab1d921be1d17f71e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6EC04C717441007AD6509B24AE49F5776E9BB70702F00C4357545D15F5DB70EC50D768
                                                                                                                                                                                                  Function 0040D2C4 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • TlsFree.KERNELBASE(004011D8,004011AA,00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004), ref: 0040D2E1
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Free
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3978063606-0
                                                                                                                                                                                                  • Opcode ID: afb8170c881060827f7b708402de6715e31012ce767a183e2a7e5af61eff3ca6
                                                                                                                                                                                                  • Instruction ID: 02f19102e46f6fc925772832a959dff7ad61b801f58b10c94ac68856fb14f403
                                                                                                                                                                                                  • Opcode Fuzzy Hash: afb8170c881060827f7b708402de6715e31012ce767a183e2a7e5af61eff3ca6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 04C04C30405100DBDF268B44ED0C7D53671A784305F4484BD9002112F1CB7C459CDA5C
                                                                                                                                                                                                  Function 00409B40 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409B49
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateHeap
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 10892065-0
                                                                                                                                                                                                  • Opcode ID: 9eba7de511a5334458af75c1b88753425be16814361ea3c54108f6a3be7bfcb4
                                                                                                                                                                                                  • Instruction ID: 1bee1f37f93e9d35684b03c2e4756e6010034fad4ed660fefd81427f3766245b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9eba7de511a5334458af75c1b88753425be16814361ea3c54108f6a3be7bfcb4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2AB012702C43005AF2500B105C46B8039609304B43F304024B2015A1D4CBF0108045AC
                                                                                                                                                                                                  Function 00409B80 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,00401B6B,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00409B8C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                                                  • Opcode ID: c30b79e764bb8dbdcf77ba3d908c2bf58051edf94f1f43fcaa00c43fb6a68242
                                                                                                                                                                                                  • Instruction ID: 0db5dfb79635df784551f11f62715d7ccb255c38dd453fa9d9c43c26825bddd7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c30b79e764bb8dbdcf77ba3d908c2bf58051edf94f1f43fcaa00c43fb6a68242
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4B01231004100BBCA014B00EE04F457A72E750700F10C034B200004F0C7310420EF4C
                                                                                                                                                                                                  Function 00409B30 Relevance: 1.5, APIs: 1, Instructions: 3memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • HeapDestroy.KERNELBASE(004011DD,004011AA,00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004), ref: 00409B36
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DestroyHeap
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2435110975-0
                                                                                                                                                                                                  • Opcode ID: 9f5e47457f218c908017f92e5e7370515ba6a022eaaca9f0545f96318fbd8d58
                                                                                                                                                                                                  • Instruction ID: ab699811fd0d87702ef007ec9d9e0afa2980276031b74f33cf565c9ea9518c6e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f5e47457f218c908017f92e5e7370515ba6a022eaaca9f0545f96318fbd8d58
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 98900230404000CBCF015B10ED484843E71F74130532091749015414B0CB314451DA48

                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                  Function 004026B8 Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7
                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00402EE4,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000), ref: 004026C9
                                                                                                                                                                                                  • SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00402EE4,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004026D9
                                                                                                                                                                                                    • Part of subcall function 00409BA0: RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409BB1
                                                                                                                                                                                                    • Part of subcall function 00409C80: memcpy.MSVCRT(?,00000000,00000000,?,?,00402705,03E68F28,03E68F28,00000000,00000000,00000000,00000000,00000000,00000000,00402EE4,00000000), ref: 00409C90
                                                                                                                                                                                                  • FreeResource.KERNEL32(?,03E68F28,03E68F28,00000000,00000000,00000000,00000000,00000000,00000000,00402EE4,00000000,00000000,0000000A,00000000,00000000,00000000), ref: 00402708
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Resource$AllocateFreeHeapLoadSizeofValuememcpy
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 4216414443-0
                                                                                                                                                                                                  • Opcode ID: fe55d16754670a1ac2242d55fbe1307306c78159f7c22dacc8df33dc46889b7d
                                                                                                                                                                                                  • Instruction ID: a74944ffd3112f9905740440eb7f37d3abcacb2d1106573319e1e0e6d7d597bb
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fe55d16754670a1ac2242d55fbe1307306c78159f7c22dacc8df33dc46889b7d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 13F07471818305AFDB01AF61DD0196EBEA2FB98304F01883EF484611B1DB769828AB5A
                                                                                                                                                                                                  Function 0040E950 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 698COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: D@A
                                                                                                                                                                                                  • API String ID: 0-2037432845
                                                                                                                                                                                                  • Opcode ID: 82bbbdca95c55e60409104e81861719bc6b7877ec7bc15acddf14cefadc8757b
                                                                                                                                                                                                  • Instruction ID: 1e0778d192f5f23141dad884ed32409d8a0e2e34130d822a75cbeb00c40a84ce
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 82bbbdca95c55e60409104e81861719bc6b7877ec7bc15acddf14cefadc8757b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BC428FB06047429FD714CF1AC58472ABBE1FF84304F148A3EE8589BB81D379E966CB95
                                                                                                                                                                                                  Function 0040559A Relevance: 3.1, APIs: 2, Instructions: 128COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetVersionExW.KERNEL32(?), ref: 004055BA
                                                                                                                                                                                                    • Part of subcall function 00405553: memset.MSVCRT ref: 00405562
                                                                                                                                                                                                    • Part of subcall function 00405553: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 00405571
                                                                                                                                                                                                    • Part of subcall function 00405553: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00405581
                                                                                                                                                                                                  • GetVersionExW.KERNEL32(?), ref: 00405619
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Version$AddressHandleModuleProcmemset
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3445250173-0
                                                                                                                                                                                                  • Opcode ID: f495203579311227c63983e5ddd909674dbe6439cabb42788c76bcb90ee03a16
                                                                                                                                                                                                  • Instruction ID: 9deb98d9ce9b1960b4761c85c685c0f6434d6ff4303ea967f2226934144b7de4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f495203579311227c63983e5ddd909674dbe6439cabb42788c76bcb90ee03a16
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 72311F36E04E6583D6308A188C507A32294E7417A0FDA0F37EDDDB72D0D67F8D45AE8A
                                                                                                                                                                                                  Function 00409930 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(004098F0,0040116F,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070,00000008), ref: 00409A6C
                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(0040116F,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004,00000000,00417070,00000008,00000008), ref: 00409A80
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                                                                  • Opcode ID: be8703ea72731a37991eabb093e21ce865d6a3a52a87f86e162e98d40940aa29
                                                                                                                                                                                                  • Instruction ID: 9241775fbeca2ef236d22ba042fa6dd18ecd55e37cf60d082ab63f5987e9b773
                                                                                                                                                                                                  • Opcode Fuzzy Hash: be8703ea72731a37991eabb093e21ce865d6a3a52a87f86e162e98d40940aa29
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CFE0A571208315EFC310CF10D888A867AB4B748741F02C43EA02992262EB348949DF1D
                                                                                                                                                                                                  Function 00409950 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(004011C9,004011AA,00000000,00418048,00000000,00000000,00000004,00000000,00417070,00000008,0000000C,000186A1,00000007,00417080,00418098,00000004), ref: 00409956
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                                                                  • Opcode ID: cf9cd527b89156cf826f8aca8c9aac0ae0f1dbb698b08308560a1dccda5bc85b
                                                                                                                                                                                                  • Instruction ID: bc48fdad81fd92ebd0be0b19d5c8e3ba934b166e7abd4bc921d629b17d7e6aca
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cf9cd527b89156cf826f8aca8c9aac0ae0f1dbb698b08308560a1dccda5bc85b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02B0017800422ADBDB019F10EC88BC83E72B749745F93C078E42981672EB79069EDA0C
                                                                                                                                                                                                  Function 004105E0 Relevance: .2, Instructions: 193COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 513e02c80492a0d3023dc35d6953037e38dfbd2ea3f16a7153b47b8225a4960d
                                                                                                                                                                                                  • Instruction ID: 9051c99f30e4fd58257ce4a82e5c6de57c2f1ea08b849514de36b4a9f860707a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 513e02c80492a0d3023dc35d6953037e38dfbd2ea3f16a7153b47b8225a4960d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B571C3716205424BD724CF29FCD0A7633A2FBD9311B4BC73DDA4287296C238E962D694
                                                                                                                                                                                                  Function 00408F69 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 270windowregistrymemoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00408E58: wcslen.MSVCRT ref: 00408E64
                                                                                                                                                                                                    • Part of subcall function 00408E58: HeapAlloc.KERNEL32(00000000,00000000,?,00408F81,?), ref: 00408E7A
                                                                                                                                                                                                    • Part of subcall function 00408E58: wcscpy.MSVCRT ref: 00408E8B
                                                                                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 00408FB2
                                                                                                                                                                                                  • LoadIconW.USER32 ref: 00408FE9
                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00408FF9
                                                                                                                                                                                                  • RegisterClassExW.USER32 ref: 00409021
                                                                                                                                                                                                  • IsWindowEnabled.USER32(00000000), ref: 00409048
                                                                                                                                                                                                  • EnableWindow.USER32(00000000), ref: 00409059
                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000001), ref: 00409091
                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000000), ref: 0040909E
                                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,00000000,10C80000,-00000096,?,?,?,?,?), ref: 004090BF
                                                                                                                                                                                                  • SetWindowLongW.USER32(00000000,000000EB,?), ref: 004090D3
                                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,STATIC,?,5000000B,0000000A,0000000A,00000118,00000016,00000000,00000000,00000000), ref: 00409101
                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000030,00000001), ref: 00409119
                                                                                                                                                                                                  • CreateWindowExW.USER32(00000200,EDIT,00000000,00000000,0000000A,00000020,00000113,00000015,00000000,0000000A,00000000), ref: 00409157
                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000030,00000001), ref: 00409169
                                                                                                                                                                                                  • SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409171
                                                                                                                                                                                                  • SendMessageW.USER32(0000000C,00000000,00000000), ref: 00409186
                                                                                                                                                                                                  • wcslen.MSVCRT ref: 00409189
                                                                                                                                                                                                  • wcslen.MSVCRT ref: 00409191
                                                                                                                                                                                                  • SendMessageW.USER32(000000B1,00000000,00000000), ref: 004091A3
                                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,BUTTON,00413080,50010001,0000006E,00000043,00000050,00000019,00000000,000003E8,00000000), ref: 004091CD
                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000030,00000001), ref: 004091DF
                                                                                                                                                                                                  • CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409216
                                                                                                                                                                                                  • SetForegroundWindow.USER32(00000000), ref: 0040921F
                                                                                                                                                                                                  • BringWindowToTop.USER32(00000000), ref: 00409226
                                                                                                                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00409239
                                                                                                                                                                                                  • TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 0040924A
                                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 00409259
                                                                                                                                                                                                  • DispatchMessageW.USER32(?), ref: 00409264
                                                                                                                                                                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 00409278
                                                                                                                                                                                                  • wcslen.MSVCRT ref: 00409289
                                                                                                                                                                                                  • wcscpy.MSVCRT ref: 004092A1
                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004092B4
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Window$Message$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconLongObjectRegisterStock
                                                                                                                                                                                                  • String ID: 0$BUTTON$D0A$EDIT$STATIC
                                                                                                                                                                                                  • API String ID: 54849019-2968808370
                                                                                                                                                                                                  • Opcode ID: d18335faca37df58a642912671a5e6e9ed3b5d57d2cc689f0dbf3b56ae086657
                                                                                                                                                                                                  • Instruction ID: 83f6c24ff00e7acae504a8cc9f4403d446bfccf5cce4438541287e2077ea33a9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d18335faca37df58a642912671a5e6e9ed3b5d57d2cc689f0dbf3b56ae086657
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E91A070648304BFE7219F64DC49F9B7FA9FB48B50F00893EF644A61E1CBB988448B59
                                                                                                                                                                                                  Function 00401500 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 335fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,00000000,?,?,00000000,?), ref: 00401637
                                                                                                                                                                                                    • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                                                                                                                                                                                    • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                                                                                                                                                                                    • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                                                                                                                                                                                    • Part of subcall function 004057F0: wcsncmp.MSVCRT ref: 00405853
                                                                                                                                                                                                    • Part of subcall function 004057F0: memmove.MSVCRT(00000000,00000000,?,00000000,00000000,?,?,-0000012C,?,?,004022A6,00000000,00000002,00000000,00000000,00417024), ref: 004058E1
                                                                                                                                                                                                    • Part of subcall function 004057F0: wcsncpy.MSVCRT ref: 004058F9
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(03E60000,00000000,?), ref: 0040DEF9
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: HeapReAlloc.KERNEL32(03E60000,00000000,?,?), ref: 0040DF1C
                                                                                                                                                                                                    • Part of subcall function 0040A6C5: wcsncpy.MSVCRT ref: 0040A6E3
                                                                                                                                                                                                    • Part of subcall function 0040A6C5: wcslen.MSVCRT ref: 0040A6F5
                                                                                                                                                                                                    • Part of subcall function 0040A6C5: CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040A735
                                                                                                                                                                                                    • Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorHeapLastValuewcslenwcsncpy$AllocAllocateCreateDirectoryFileWritememmovewcsncmp
                                                                                                                                                                                                  • String ID: $pA$&pA$.pA$2pA$2pA$2pA$6pA$6pA$6pA$fpA$fpA$fpA$fpA$fpA
                                                                                                                                                                                                  • API String ID: 1139839066-3159487945
                                                                                                                                                                                                  • Opcode ID: d82c78c97cd93cd8359ad247b64c810d717c980519cb538e660ca643c8351bca
                                                                                                                                                                                                  • Instruction ID: b4e4a0b709d291d116e2253cfe1eb4aef96e8d0e4325569d50da54c09323f468
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d82c78c97cd93cd8359ad247b64c810d717c980519cb538e660ca643c8351bca
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E3B134B1504300AED600BBA1DD81E7F77A9EB88308F108D3FF544B61A2CA3DDD59966D
                                                                                                                                                                                                  Function 00409355 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 116libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00409373
                                                                                                                                                                                                    • Part of subcall function 0040E3F0: TlsGetValue.KERNEL32(0000000D,\\?\,?,004096ED,00000104,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040E3FA
                                                                                                                                                                                                  • memset.MSVCRT ref: 00409381
                                                                                                                                                                                                  • LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
                                                                                                                                                                                                  • wcsncpy.MSVCRT ref: 004093DD
                                                                                                                                                                                                  • wcslen.MSVCRT ref: 004093F1
                                                                                                                                                                                                  • CoTaskMemFree.OLE32(?), ref: 0040947A
                                                                                                                                                                                                  • wcslen.MSVCRT ref: 00409481
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskValuememsetwcsncpy
                                                                                                                                                                                                  • String ID: $0A$P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
                                                                                                                                                                                                  • API String ID: 4193992262-92458654
                                                                                                                                                                                                  • Opcode ID: 0c1c89229e1b22e48d7f066479dda1c34872fd3251ec2b755b1888499f20ca0d
                                                                                                                                                                                                  • Instruction ID: 23f57ca1c929181bfbc58391faabb4ebc57556df945843c0c8e437b0019b5ca4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c1c89229e1b22e48d7f066479dda1c34872fd3251ec2b755b1888499f20ca0d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3416471508704AAC720EF759C49A9FBBE8EF88714F004C3FF945E3292D77899458B6A
                                                                                                                                                                                                  Function 00406310 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 275COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • wcsncpy.MSVCRT ref: 00406405
                                                                                                                                                                                                    • Part of subcall function 0040E1E0: TlsGetValue.KERNEL32(0000000D,?,?,00405EC5,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000), ref: 0040E1EA
                                                                                                                                                                                                  • _wcsdup.MSVCRT ref: 0040644E
                                                                                                                                                                                                  • _wcsdup.MSVCRT ref: 00406469
                                                                                                                                                                                                  • _wcsdup.MSVCRT ref: 0040648C
                                                                                                                                                                                                  • wcsncpy.MSVCRT ref: 00406578
                                                                                                                                                                                                  • free.MSVCRT ref: 004065DC
                                                                                                                                                                                                  • free.MSVCRT ref: 004065EF
                                                                                                                                                                                                  • free.MSVCRT ref: 00406602
                                                                                                                                                                                                  • wcsncpy.MSVCRT ref: 0040662E
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _wcsdupfreewcsncpy$Value
                                                                                                                                                                                                  • String ID: $0A$$0A$$0A
                                                                                                                                                                                                  • API String ID: 1554701960-360074770
                                                                                                                                                                                                  • Opcode ID: a2ec9853b1f56fd283991c6130850b28c29d3bdb2ca3b3670bd4453c3ae5a324
                                                                                                                                                                                                  • Instruction ID: a3954b37eea6ac6c251c7ba509b6f2d99b081bbe67bc4aeebc7e0be9c04ba548
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a2ec9853b1f56fd283991c6130850b28c29d3bdb2ca3b3670bd4453c3ae5a324
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 30A1BD715043019BCB209F18C881A2BB7F1EF94348F49093EF88667391E77AD965CB9A
                                                                                                                                                                                                  Function 00412082 Relevance: 19.6, APIs: 13, Instructions: 74memoryregistrythreadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • TlsAlloc.KERNEL32(?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 00412092
                                                                                                                                                                                                  • InitializeCriticalSection.KERNEL32(00418688,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 0041209E
                                                                                                                                                                                                  • TlsGetValue.KERNEL32(?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 004120B4
                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000008,00000014,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 004120CE
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00418688,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 004120DF
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00418688,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 004120FB
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00100000,00000000,00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000), ref: 00412114
                                                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 00412117
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 0041211E
                                                                                                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00412121
                                                                                                                                                                                                  • RegisterWaitForSingleObject.KERNEL32(0000000C,00000000,0041217A,00000000,000000FF,00000008), ref: 00412137
                                                                                                                                                                                                  • TlsSetValue.KERNEL32(00000000,?,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00412144
                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,0000000C,?,?,0040E018,0040DF80,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00412155
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 298514914-0
                                                                                                                                                                                                  • Opcode ID: 090f9e8ec264e5d12bc44ccd603b7065f48900f7029304d299a0ea3cd3686378
                                                                                                                                                                                                  • Instruction ID: d80fd07e77255670f12a4e616af7295cf706cbaed93ad9a0fedfb01b657d880b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 090f9e8ec264e5d12bc44ccd603b7065f48900f7029304d299a0ea3cd3686378
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35211971644305FFDB119F64ED88B963FBAFB49311F04C43AFA09962A1CBB49850DB68
                                                                                                                                                                                                  Function 00403275 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403302
                                                                                                                                                                                                  • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040330B
                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 0040342B
                                                                                                                                                                                                  • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00403434
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: HeapReAlloc.KERNEL32(03E60000,00000000,?,?), ref: 0040DF1C
                                                                                                                                                                                                  • PathAddBackslashW.SHLWAPI(00000000,00000000,sysnative,00000000,00000000,00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040333B
                                                                                                                                                                                                    • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                                                                                                                                                                                    • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                                                                                                                                                                                    • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(03E60000,00000000,?), ref: 0040DEF9
                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 00403468
                                                                                                                                                                                                  • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403471
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: BackslashPath$Directory$ErrorHeapLastSystemValue$AllocAllocateWindows
                                                                                                                                                                                                  • String ID: sysnative
                                                                                                                                                                                                  • API String ID: 3255304431-821172135
                                                                                                                                                                                                  • Opcode ID: 746c8561250cf8e6c5552df93e440d909052fbc598afd7be3e0530c02a0fb7e5
                                                                                                                                                                                                  • Instruction ID: 2364f58bb10a159e0aa11294c57d56a9f179ba7a21fd77f55822fae8b4f54734
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 746c8561250cf8e6c5552df93e440d909052fbc598afd7be3e0530c02a0fb7e5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F5514075518701AAD600BBB2CC82B2F76A9AFD0709F10CC3FF544790D2CA7CD8599A6E
                                                                                                                                                                                                  Function 0040DA43 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53librarysleeploaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • LoadLibraryW.KERNEL32(Kernel32.dll,00000000,00000000,00000000,00000004,00000000,0040D855,0041861C,0040D9E2,00000000,FFFFFFED,00000200,77515E70,00409E76,FFFFFFED,00000010), ref: 0040DA51
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040DA66
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DA81
                                                                                                                                                                                                  • InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 0040DA90
                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DAA2
                                                                                                                                                                                                  • InterlockedExchange.KERNEL32(00000000,00000002), ref: 0040DAB5
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
                                                                                                                                                                                                  • String ID: InitOnceExecuteOnce$Kernel32.dll
                                                                                                                                                                                                  • API String ID: 2918862794-1339284965
                                                                                                                                                                                                  • Opcode ID: 04ec49063c38c3d68cea197a5330db743d42037b633bf3bb84411c831da1e2b1
                                                                                                                                                                                                  • Instruction ID: e7d3430369b103de8e34323ddaa6381870798cc52ac97d2691a1b23ef8b22f52
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04ec49063c38c3d68cea197a5330db743d42037b633bf3bb84411c831da1e2b1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A701B132748204BAD7116FE49C49FEB3B29EF42762F10813AF905A11C0DB7C49458A6D
                                                                                                                                                                                                  Function 00409507 Relevance: 12.0, APIs: 8, Instructions: 50threadwindowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00409511
                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040951F
                                                                                                                                                                                                  • IsWindowVisible.USER32(?), ref: 00409526
                                                                                                                                                                                                    • Part of subcall function 0040DB72: HeapAlloc.KERNEL32(00000008,00000000,0040D3EC,00418610,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB7E
                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00409543
                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00409550
                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 0040955E
                                                                                                                                                                                                  • IsWindowEnabled.USER32(?), ref: 00409569
                                                                                                                                                                                                  • EnableWindow.USER32(?,00000000), ref: 00409579
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3383493704-0
                                                                                                                                                                                                  • Opcode ID: 761db0cbe0c8efe4181c57131f09a45cb1cea28f7de62a6f083fb5992236dbff
                                                                                                                                                                                                  • Instruction ID: 9be2ebae674c1fa36b8fc713cd4e728ef3198b0ad07c7790c0b3041e5f2a4f9d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 761db0cbe0c8efe4181c57131f09a45cb1cea28f7de62a6f083fb5992236dbff
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A901B9315083016FD3215B769C88AABBAB8AF55750B04C03EF456D3191D7749C40C66D
                                                                                                                                                                                                  Function 00409588 Relevance: 9.1, APIs: 6, Instructions: 68threadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnumWindows.USER32(00409507,?), ref: 0040959B
                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 004095B3
                                                                                                                                                                                                  • SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 004095CF
                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 004095EF
                                                                                                                                                                                                  • EnableWindow.USER32(?,00000001), ref: 00409605
                                                                                                                                                                                                  • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 0040961C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Window$CurrentThread$EnableEnumWindows
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2527101397-0
                                                                                                                                                                                                  • Opcode ID: f28d4ca554cd3ae9a733ad6cb4d62ecbd868711740a6e1fed135e0e6fc6d1c23
                                                                                                                                                                                                  • Instruction ID: f5a6386b144a933a28a8080deaf79be6790ca9cb7a06763c23f847dded1acd22
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f28d4ca554cd3ae9a733ad6cb4d62ecbd868711740a6e1fed135e0e6fc6d1c23
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E11AF32548741BBD7324B16EC48F577BB9EB81B20F14CA3EF052226E1DB766D44CA18
                                                                                                                                                                                                  Function 0040D353 Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • TlsAlloc.KERNEL32(?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D378
                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D38C
                                                                                                                                                                                                  • TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D399
                                                                                                                                                                                                  • TlsGetValue.KERNEL32(00000010,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D3B0
                                                                                                                                                                                                  • HeapReAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D3BF
                                                                                                                                                                                                  • TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D3CE
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AllocValue$Heap
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2472784365-0
                                                                                                                                                                                                  • Opcode ID: d4aa023bea7065d4958094be2e1b0a1f42a8661c5ef268aa00a39480e26025ae
                                                                                                                                                                                                  • Instruction ID: 1e11015e4a25d7f5304c1c18fd55a95fd758b035f13ce6db6bcec7fc4f8c26ab
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4aa023bea7065d4958094be2e1b0a1f42a8661c5ef268aa00a39480e26025ae
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22116372A45310AFD7109FA5EC84A967BA9FB58760B05803EF904D33B2DB359C048AAC
                                                                                                                                                                                                  Function 00412004 Relevance: 9.0, APIs: 6, Instructions: 45memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • UnregisterWait.KERNEL32(?), ref: 0041200E
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,0041218A,?), ref: 00412017
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00418688,?,?,?,0041218A,?), ref: 00412023
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00418688,?,?,?,0041218A,?), ref: 00412048
                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,0041218A,?), ref: 00412066
                                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,0041218A,?), ref: 00412078
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 4204870694-0
                                                                                                                                                                                                  • Opcode ID: 74c8b0c47b40b3dfa83cc76d0e2e37435eae102b1f5068a19a02dca3843f56c7
                                                                                                                                                                                                  • Instruction ID: 90751bbfb1e58074f86cd24fa3ef9024ec02ad1f71581e15228f0d3cd8da5416
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74c8b0c47b40b3dfa83cc76d0e2e37435eae102b1f5068a19a02dca3843f56c7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F5012970201601EFC7249F11EE88A96BF75FF493557108539E61AC2A70C731A821DBA8
                                                                                                                                                                                                  Function 004057F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • wcsncmp.MSVCRT ref: 00405853
                                                                                                                                                                                                  • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,?,?,-0000012C,?,?,004022A6,00000000,00000002,00000000,00000000,00417024), ref: 004058E1
                                                                                                                                                                                                  • wcsncpy.MSVCRT ref: 004058F9
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: memmovewcsncmpwcsncpy
                                                                                                                                                                                                  • String ID: $0A$$0A
                                                                                                                                                                                                  • API String ID: 1452150355-167650565
                                                                                                                                                                                                  • Opcode ID: d76f75147769cfeda3015acce6fec10c4d54059df292c5d7079ca0585360228a
                                                                                                                                                                                                  • Instruction ID: fc6078814c183f32d07ee1b1bbfb59dc2b99a9263d9aed9d6ca5449e395b5937
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d76f75147769cfeda3015acce6fec10c4d54059df292c5d7079ca0585360228a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C31D536904B058BC720FF55888057B77A8EE84344F14893EEC85373C2EB799D61DBAA
                                                                                                                                                                                                  Function 00405553 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • memset.MSVCRT ref: 00405562
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 00405571
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00405581
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressHandleModuleProcmemset
                                                                                                                                                                                                  • String ID: RtlGetVersion$ntdll.dll
                                                                                                                                                                                                  • API String ID: 3137504439-1489217083
                                                                                                                                                                                                  • Opcode ID: 6332086022332b991d2c4cf9c539ad8fbd8ac088d8322b57d3057784f2e87649
                                                                                                                                                                                                  • Instruction ID: 30d66d9a54b09ec8b40df40bafdfba1d8cbaec4fc0a5d0b23e6a41b72964e000
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6332086022332b991d2c4cf9c539ad8fbd8ac088d8322b57d3057784f2e87649
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FAE09A3176461176C6202B76AC09FCB2AACDF8AB01B14043AB105E21C5E63C8A018ABD
                                                                                                                                                                                                  Function 0040A043 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 80memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040A0AB
                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000,?,?,00403C62), ref: 0040A0C1
                                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040A0CC
                                                                                                                                                                                                  • memset.MSVCRT ref: 0040A0FA
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AllocHeapmemsetwcscpywcslen
                                                                                                                                                                                                  • String ID: $0A
                                                                                                                                                                                                  • API String ID: 1807340688-513306843
                                                                                                                                                                                                  • Opcode ID: ddb17ac4584ae50943752de31405e04708b8483d2d19b8b99954ed05a6fee5b2
                                                                                                                                                                                                  • Instruction ID: f5e08f91bfd61cb5ee80f18050d08b7446549b79f9f251a776f81db7a0f8ced7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ddb17ac4584ae50943752de31405e04708b8483d2d19b8b99954ed05a6fee5b2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED212431100B04AFC321AF259845B2BB7F9EF88314F14453FFA8562692DB39A8158B1A
                                                                                                                                                                                                  Function 00409DE0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 00409EFA
                                                                                                                                                                                                    • Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F06
                                                                                                                                                                                                    • Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,?,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409F1A
                                                                                                                                                                                                    • Part of subcall function 00409ECF: HeapFree.KERNEL32(00000000,00000000,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F30
                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409DFF
                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E25
                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E82
                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E9C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$Free$Alloc
                                                                                                                                                                                                  • String ID: $0A
                                                                                                                                                                                                  • API String ID: 3901518246-513306843
                                                                                                                                                                                                  • Opcode ID: b46946705b204f9c30dffdadfffedc2aca485d526b87e64f112108196cd3b2d8
                                                                                                                                                                                                  • Instruction ID: e0ba865afb0c504cde721ebe6402ca52a8b9bc1920db32d4218675ac1f34fbd8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b46946705b204f9c30dffdadfffedc2aca485d526b87e64f112108196cd3b2d8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC213971600616ABD320DF2ADC01B46BBE9BF88710F41852AB548A76A1DB71EC248BD8
                                                                                                                                                                                                  Function 00405492 Relevance: 7.6, APIs: 5, Instructions: 60synchronizationthreadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00001000,?,?,00000000,03E68F28), ref: 004054AB
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054BD
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054D4
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000008,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054E0
                                                                                                                                                                                                    • Part of subcall function 0040DB32: HeapFree.KERNEL32(00000000,-00000008,0040D44B,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB6B
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(004186A8,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 00405523
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3708593966-0
                                                                                                                                                                                                  • Opcode ID: 90d5c19b946ffb749f21a3af15512962dae866b54bf80da6b69c9a1821aaad17
                                                                                                                                                                                                  • Instruction ID: 0c8983fff82f944e714e95dc609c427016460782395ad7ea9b381996daa8850a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 90d5c19b946ffb749f21a3af15512962dae866b54bf80da6b69c9a1821aaad17
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E110632145604BFC3015F54EC05ED7BBB9EF45752721846BF800972A0EB75A8508F6D
                                                                                                                                                                                                  Function 0040D946 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00418624,00000200,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3), ref: 0040D95A
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00418624,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D9AF
                                                                                                                                                                                                    • Part of subcall function 0040D946: HeapFree.KERNEL32(00000000,?,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004), ref: 0040D9A8
                                                                                                                                                                                                  • DeleteCriticalSection.KERNEL32(00000020,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3), ref: 0040D9C8
                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200), ref: 0040D9D7
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$FreeHeap$DeleteEnterLeave
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3171405041-0
                                                                                                                                                                                                  • Opcode ID: cbed9a95af3197c0c236be5f183e3b734408b447f4af695c0c167132bfd4a986
                                                                                                                                                                                                  • Instruction ID: 8e0b58a532cd0764c064264ab0afec864f9344a56e81b99afb7742a3bcd9c4dc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cbed9a95af3197c0c236be5f183e3b734408b447f4af695c0c167132bfd4a986
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 80112B71501601AFC7209F55DC48B96BBB5FF49311F10843EA45A936A1D738A844CF98
                                                                                                                                                                                                  Function 00409698 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040E260: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E26C
                                                                                                                                                                                                    • Part of subcall function 0040E260: HeapReAlloc.KERNEL32(03E60000,00000000,?,?), ref: 0040E2C7
                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
                                                                                                                                                                                                  • wcscmp.MSVCRT ref: 004096C2
                                                                                                                                                                                                  • memmove.MSVCRT(00000000,00000008,\\?\,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 004096DA
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AllocFileHeapModuleNameValuememmovewcscmp
                                                                                                                                                                                                  • String ID: \\?\
                                                                                                                                                                                                  • API String ID: 3734239354-4282027825
                                                                                                                                                                                                  • Opcode ID: 0153655e129c1090b4fb96721347d81aa5438cd66e58ba985cbb1c9c08f4e59e
                                                                                                                                                                                                  • Instruction ID: 273bc576c06434c2caee33e7ea90b93358419674725e30c46c8a7bea9ec705d9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0153655e129c1090b4fb96721347d81aa5438cd66e58ba985cbb1c9c08f4e59e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BBF0E2B31006017BC210677BDC85CAB7EACEB853747000A3FF515D24D2EA38D82496B8
                                                                                                                                                                                                  Function 00405BA0 Relevance: 6.2, APIs: 4, Instructions: 167memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AllocHeapwcsncpy
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2304708654-0
                                                                                                                                                                                                  • Opcode ID: abff55b24cf8305edd91d71e69c9c0649d4e3fc2b61a87c9063bbd8ae977bd8a
                                                                                                                                                                                                  • Instruction ID: a3f43ae3cc8438659badc3904afd778ac5f48c872593279c616423bb3bd2bb8e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: abff55b24cf8305edd91d71e69c9c0649d4e3fc2b61a87c9063bbd8ae977bd8a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D51AD34508B059BDB209F28D844A6B77F4FF84348F544A2EF885A72D0E778E915CB99
                                                                                                                                                                                                  Function 00406670 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CharLowerW.USER32(00417032,?,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 00406696
                                                                                                                                                                                                  • CharLowerW.USER32(00000000,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 004066D0
                                                                                                                                                                                                  • CharLowerW.USER32(?,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 004066FF
                                                                                                                                                                                                  • CharLowerW.USER32(?,?,?,?,?,?,?,?,?,00402745,00000000,00000000), ref: 00406705
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CharLower
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1615517891-0
                                                                                                                                                                                                  • Opcode ID: e161e10b7a4b34b45bc7c15099726f4e7ff8b3d71e89e60b0d1392e1659b6289
                                                                                                                                                                                                  • Instruction ID: 50cff0fc212774e4e1f85142edc8b720228546f3e888a8e5f893537154114361
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e161e10b7a4b34b45bc7c15099726f4e7ff8b3d71e89e60b0d1392e1659b6289
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 582176796043058BC710AF1D9C40077B7E4EB80364F86483BEC85A3380D639EE169BA9
                                                                                                                                                                                                  Function 004121A0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040D0B8,00000000), ref: 004121D4
                                                                                                                                                                                                  • malloc.MSVCRT ref: 004121E4
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 00412201
                                                                                                                                                                                                  • malloc.MSVCRT ref: 00412216
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ByteCharMultiWidemalloc
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2735977093-0
                                                                                                                                                                                                  • Opcode ID: 00a490c9ef2dc5a478e4fad7c5361c88d21327c35d3ed7742fb63e43f6d77948
                                                                                                                                                                                                  • Instruction ID: ba92e613a2f9bf0a88025da3432e472bc54701246ba04d0c993b0b67be8a7a27
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 00a490c9ef2dc5a478e4fad7c5361c88d21327c35d3ed7742fb63e43f6d77948
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9401F57B38130137E3205695AC42FBB7B59CB81B95F1900BAFB05AE2C1D6F76814C6B9
                                                                                                                                                                                                  Function 00405436 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 004053EA: EnterCriticalSection.KERNEL32(004186A8,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 004053F5
                                                                                                                                                                                                    • Part of subcall function 004053EA: LeaveCriticalSection.KERNEL32(004186A8,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405428
                                                                                                                                                                                                  • TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405446
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405452
                                                                                                                                                                                                  • CloseHandle.KERNEL32(-00000008,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405472
                                                                                                                                                                                                    • Part of subcall function 0040DB32: HeapFree.KERNEL32(00000000,-00000008,0040D44B,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB6B
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(004186A8,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405486
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave$CloseFreeHandleHeapTerminateThread
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 85618057-0
                                                                                                                                                                                                  • Opcode ID: a2b12058037983e8feb28cac182eb15ba2e3b37f6182c0419abf98dc8b579576
                                                                                                                                                                                                  • Instruction ID: 3069acd899a723a1849542c16efb52ddeba99d38bb4cb8d15d413c759c742d3e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a2b12058037983e8feb28cac182eb15ba2e3b37f6182c0419abf98dc8b579576
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CDF05432905610AFC2205F619C48AE77B79EF54767715843FF94573190D73868408E6E
                                                                                                                                                                                                  Function 00403001 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040DFC0: TlsGetValue.KERNEL32(0000000D,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,00417070,00000008,0000000C), ref: 0040DFD7
                                                                                                                                                                                                    • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                                                                                                                                                                                    • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                                                                                                                                                                                    • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                                                                                                                                                                                    • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                                                                                                                                                                                    • Part of subcall function 00405EB0: CharUpperW.USER32(00000000,00000000,FFFFFFF5,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000,00000000), ref: 00405F01
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(03E60000,00000000,?), ref: 0040DEF9
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: HeapReAlloc.KERNEL32(03E60000,00000000,?,?), ref: 0040DF1C
                                                                                                                                                                                                    • Part of subcall function 00402E9D: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402EC5
                                                                                                                                                                                                    • Part of subcall function 00402E9D: __fprintf_l.LIBCMT ref: 00402F1F
                                                                                                                                                                                                    • Part of subcall function 00409355: CoInitialize.OLE32(00000000), ref: 00409373
                                                                                                                                                                                                    • Part of subcall function 00409355: memset.MSVCRT ref: 00409381
                                                                                                                                                                                                    • Part of subcall function 00409355: LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
                                                                                                                                                                                                    • Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
                                                                                                                                                                                                    • Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
                                                                                                                                                                                                    • Part of subcall function 00409355: wcsncpy.MSVCRT ref: 004093DD
                                                                                                                                                                                                    • Part of subcall function 00409355: wcslen.MSVCRT ref: 004093F1
                                                                                                                                                                                                    • Part of subcall function 00409355: CoTaskMemFree.OLE32(?), ref: 0040947A
                                                                                                                                                                                                    • Part of subcall function 00409355: wcslen.MSVCRT ref: 00409481
                                                                                                                                                                                                    • Part of subcall function 00409355: FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0
                                                                                                                                                                                                    • Part of subcall function 00403CD7: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,-00000004,00403A61,00000000,00000001,00000000,00000000,00000001,00000003,00000000), ref: 00403D07
                                                                                                                                                                                                  • PathAddBackslashW.SHLWAPI(00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000,00000000,FFFFFFF5,00000003,00000000,00000000,00000000,00000000,00000000), ref: 004031CC
                                                                                                                                                                                                    • Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037
                                                                                                                                                                                                  • PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,03E682C0,00000000,00000000,00000200,00000000,00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000), ref: 00403231
                                                                                                                                                                                                    • Part of subcall function 00402CA9: FindResourceW.KERNEL32(?,0000000A,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402D44
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Value$FindResourcewcslen$AddressBackslashErrorFreeHeapLastLibraryPathProc$AllocAllocateCharInitializeLoadRemoveTaskUpper__fprintf_lmemsetwcsncpy
                                                                                                                                                                                                  • String ID: $pA
                                                                                                                                                                                                  • API String ID: 109531086-4007739358
                                                                                                                                                                                                  • Opcode ID: f01bb369e18f13ef190f30007a4947274f5d366d46ad45d517e65d3ce441ca3c
                                                                                                                                                                                                  • Instruction ID: fee6f31afef46dfc3d4b18dc130868db542cea1a9d30875f0fa626089c73850b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f01bb369e18f13ef190f30007a4947274f5d366d46ad45d517e65d3ce441ca3c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E151F6B5904A007EE2007BF2DD82E3F266EDFD4719B10893FF844B9092C93C994DA66D
                                                                                                                                                                                                  Function 004024F1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCommandLineW.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004025A3
                                                                                                                                                                                                  • PathRemoveArgsW.SHLWAPI(?), ref: 004025D9
                                                                                                                                                                                                    • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040DECC
                                                                                                                                                                                                    • Part of subcall function 0040DEC0: RtlAllocateHeap.NTDLL(03E60000,00000000,?), ref: 0040DEF9
                                                                                                                                                                                                    • Part of subcall function 004098C0: SetEnvironmentVariableW.KERNELBASE(03E68F28,03E68F28,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004098D9
                                                                                                                                                                                                    • Part of subcall function 0040DE80: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE86
                                                                                                                                                                                                    • Part of subcall function 0040DE80: TlsGetValue.KERNEL32(0000000D), ref: 0040DE95
                                                                                                                                                                                                    • Part of subcall function 0040DE80: SetLastError.KERNEL32(?), ref: 0040DEAB
                                                                                                                                                                                                    • Part of subcall function 0040E020: wcslen.MSVCRT ref: 0040E037
                                                                                                                                                                                                    • Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178
                                                                                                                                                                                                    • Part of subcall function 0040DF50: HeapFree.KERNEL32(03E60000,00000000,00000000,?,00000000,?,00411DE4,00000000,00000000,-00000008), ref: 0040DF68
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Value$ErrorHeapLast$AllocateArgsCommandEnvironmentFreeLinePathRemoveVariablewcslen
                                                                                                                                                                                                  • String ID: *pA
                                                                                                                                                                                                  • API String ID: 1199808876-3833533140
                                                                                                                                                                                                  • Opcode ID: 8f22e716d57f4c9bfe5b71c9e6acb5439c6f95b10b9ef67813090a06b7820649
                                                                                                                                                                                                  • Instruction ID: 21a80edfc212e2aa9d277187ee9bfa0e7f9d15baa35618845dd156f20ee28a4c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f22e716d57f4c9bfe5b71c9e6acb5439c6f95b10b9ef67813090a06b7820649
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C412DB5904701AED600BBB2DD8293F77ADEBD4309F108D3FF544A9092CA3CD849966E
                                                                                                                                                                                                  Function 0040973A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040D2E8: TlsGetValue.KERNEL32(?,00409869,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000,00000000,00000200), ref: 0040D2EF
                                                                                                                                                                                                    • Part of subcall function 0040D2E8: HeapAlloc.KERNEL32(00000008,?,?,00409869,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D30A
                                                                                                                                                                                                    • Part of subcall function 0040D2E8: TlsSetValue.KERNEL32(00000000,?,?,00409869,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D319
                                                                                                                                                                                                  • GetCommandLineW.KERNEL32(?,?,?,00000000,?,?,00409870,00000000,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015), ref: 00409754
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Value$AllocCommandHeapLine
                                                                                                                                                                                                  • String ID: $"
                                                                                                                                                                                                  • API String ID: 1339485270-3817095088
                                                                                                                                                                                                  • Opcode ID: 23df4b233d713070fc482b77f76cf6363686a3a5707749b1e186b32a761d8b54
                                                                                                                                                                                                  • Instruction ID: ab659b79707db7d7869a667e669445cd4c695224699636d93eb587c6e0e94742
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 23df4b233d713070fc482b77f76cf6363686a3a5707749b1e186b32a761d8b54
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A31A7735252218ADB74AF10981127772A1EFA2B60F18C17FE4926B3D2F37D8D41D369
                                                                                                                                                                                                  Function 00409FB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _wcsicmpwcscmp
                                                                                                                                                                                                  • String ID: $0A
                                                                                                                                                                                                  • API String ID: 3419221977-513306843
                                                                                                                                                                                                  • Opcode ID: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
                                                                                                                                                                                                  • Instruction ID: ce5e94a217663c04e8d70dd0a479d34a80eb67d33ce446282a7f9ad79867738e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E11C476108B0A8FD3209F46D440923B3E9EF94364720843FD849A3791DB75FC218B6A
                                                                                                                                                                                                  Function 00405700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405722
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405746
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ByteCharMultiWide
                                                                                                                                                                                                  • String ID: $0A
                                                                                                                                                                                                  • API String ID: 626452242-513306843
                                                                                                                                                                                                  • Opcode ID: 6ebf4601a22723825f5cb97cb36f297afbf3d96316567957ce430f2db9d3b6d5
                                                                                                                                                                                                  • Instruction ID: 257aa3cf1744ec2ccb71e28fb2e26357a5123011e6015fa77bf79efc500ed16d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ebf4601a22723825f5cb97cb36f297afbf3d96316567957ce430f2db9d3b6d5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 16F0393A3862213BE230215A6C0AF672A69CB86F71F2542327B24BF2D085B5680046AC
                                                                                                                                                                                                  Function 0040D57F Relevance: 5.1, APIs: 4, Instructions: 134memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000,?), ref: 0040D593
                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,-00000018,00000001,?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?), ref: 0040D648
                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,-00000018,?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000), ref: 0040D66B
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000,0040A0A4,00000000,00000001,?,?,?,00000000,00409ECC,?,?,00000000,?,?), ref: 0040D6C3
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AllocCriticalHeapSection$EnterLeave
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 830345296-0
                                                                                                                                                                                                  • Opcode ID: 223ceb5fedc6bf78071f8d1d71221cc314eeccb9612ab2cf4b16bda0937aed7a
                                                                                                                                                                                                  • Instruction ID: 88038414d57a756cd7fad5c0050c74a6e8d04d69e7cdc083c9acd98434601a7e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 223ceb5fedc6bf78071f8d1d71221cc314eeccb9612ab2cf4b16bda0937aed7a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C51E370A00B069FC324CF69D980926B7F5FF587103148A3EE89A97B90D335F959CB94
                                                                                                                                                                                                  Function 0040E130 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040E145
                                                                                                                                                                                                  • HeapAlloc.KERNEL32(03E60000,00000000,0000000A), ref: 0040E169
                                                                                                                                                                                                  • HeapReAlloc.KERNEL32(03E60000,00000000,00000000,0000000A), ref: 0040E18D
                                                                                                                                                                                                  • HeapFree.KERNEL32(03E60000,00000000,00000000,?,?,0040506F,?,0041702E,00401095,00000000), ref: 0040E1C4
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$Alloc$Freewcslen
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2479713791-0
                                                                                                                                                                                                  • Opcode ID: 360229d15a1fb6af201326cedd8d5f72cb5848c1c9ec4e5b388a4d503be7f4ab
                                                                                                                                                                                                  • Instruction ID: 6002b1c3f5819bc59b30070f24097f674b8c445c60846b79d2129d941eb5fd7b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 360229d15a1fb6af201326cedd8d5f72cb5848c1c9ec4e5b388a4d503be7f4ab
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BA21F774604209EFDB14CF94D884FAAB7BAEB48354F108569F9099F390D735EA81CF94
                                                                                                                                                                                                  Function 0040D498 Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D4A3
                                                                                                                                                                                                  • HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040D4E3
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040ADD5,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D51E
                                                                                                                                                                                                    • Part of subcall function 0040DB72: HeapAlloc.KERNEL32(00000008,00000000,0040D3EC,00418610,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB7E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AllocCriticalHeapSection$EnterLeave
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 830345296-0
                                                                                                                                                                                                  • Opcode ID: 762af24c506bf6e2b9559650e0095779b3b7acce71c4fd081469871384e8466f
                                                                                                                                                                                                  • Instruction ID: 44ceb6562d1eb3065d03cece85d0244f92a2e0345c3169311120ea74ede9abb0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 762af24c506bf6e2b9559650e0095779b3b7acce71c4fd081469871384e8466f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A113D72604600AFC3208FA8DC40E56B7F9FB48325B14892EE896E36A1C734F804CF65
                                                                                                                                                                                                  Function 0040D6DD Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200), ref: 0040D6EF
                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF), ref: 0040D706
                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF), ref: 0040D722
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D9BE,00000000,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200), ref: 0040D73F
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalFreeHeapSection$EnterLeave
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1298188129-0
                                                                                                                                                                                                  • Opcode ID: 9025b1c5150b3b55cbdbde059a5d8489335d355e00ab4da0a2b3a5ee45c47fee
                                                                                                                                                                                                  • Instruction ID: 19831624efecdb95f34469d84cf285095463f1f7ead1137181efdd2e3cba2855
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9025b1c5150b3b55cbdbde059a5d8489335d355e00ab4da0a2b3a5ee45c47fee
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB012879A0161AAFC7208F96ED04967BB7CFB49751305853AA844A7A60C734E824DFE8
                                                                                                                                                                                                  Function 00409ECF Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0040A11A: memset.MSVCRT ref: 0040A182
                                                                                                                                                                                                    • Part of subcall function 0040D946: EnterCriticalSection.KERNEL32(00418624,00000200,00000000,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3), ref: 0040D95A
                                                                                                                                                                                                    • Part of subcall function 0040D946: HeapFree.KERNEL32(00000000,?,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004), ref: 0040D9A8
                                                                                                                                                                                                    • Part of subcall function 0040D946: LeaveCriticalSection.KERNEL32(00418624,?,00409EE8,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D9AF
                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 00409EFA
                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F06
                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,?,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409F1A
                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,00409DEF,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409F30
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.1821122324.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821096611.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821153953.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821177304.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000000E19000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000000.00000002.1821213868.0000000001819000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_EtEskr.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeHeap$CriticalSection$EnterLeavememset
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 4254243056-0
                                                                                                                                                                                                  • Opcode ID: 725e25c77e1e11b4bf87ed01b6ee150763b189248ade4676bad763f5516a4b52
                                                                                                                                                                                                  • Instruction ID: 731859a3b15cae5753bb7de1e8a6b13bc7caaa2a8ebc947d3a100cd7cc498ee7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 725e25c77e1e11b4bf87ed01b6ee150763b189248ade4676bad763f5516a4b52
                                                                                                                                                                                                  • Instruction Fuzzy Hash: ABF04471215109BFC6115F16DD40D57BF6DFF8A7A43424129B40493571CB36EC20AAA8

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 00A91700 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 313fileCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 862 a91700-a91770 call ac0ec0 * 2 GetFileAttributesW 867 a91772-a91779 GetLastError 862->867 868 a917a4-a917a7 862->868 869 a9177b-a9177d 867->869 870 a9177e-a91780 867->870 871 a91ae9 868->871 872 a917ad-a917b0 868->872 869->870 873 a9178d 870->873 874 a91782-a9178b 870->874 875 a91aee-a91af7 871->875 876 a917e9-a917f0 872->876 877 a917b2-a917c5 SetFileAttributesW 872->877 873->868 880 a9178f-a91790 873->880 874->873 881 a91af9-a91afa FindClose 875->881 882 a91b00-a91b07 875->882 878 a917fc-a91802 876->878 879 a917f2-a917f6 876->879 877->876 883 a917c7-a917cd GetLastError 877->883 886 a91a99 878->886 887 a91808-a9180c 878->887 879->878 879->886 888 a91795-a9179f call a913b3 880->888 881->882 889 a91b09-a91b0f call a93136 882->889 890 a91b14-a91b24 call ac0093 882->890 884 a917da 883->884 885 a917cf-a917d8 883->885 891 a917dc 884->891 892 a917e1-a917e7 884->892 885->884 897 a91a9f-a91aa8 RemoveDirectoryW 886->897 893 a91849-a91865 call a947cb 887->893 894 a9180e-a91822 GetTempPathW 887->894 888->882 889->890 891->892 892->888 893->882 909 a9186b-a91887 FindFirstFileW 893->909 894->893 899 a91824-a9182a GetLastError 894->899 897->875 902 a91aaa-a91ab0 GetLastError 897->902 907 a9182c-a91835 899->907 908 a91837 899->908 905 a91abb-a91ac1 902->905 906 a91ab2-a91ab5 902->906 910 a91ada-a91adc 905->910 911 a91ac3-a91ac7 905->911 906->905 907->908 912 a91839 908->912 913 a9183e-a91844 908->913 914 a91889-a9188f GetLastError 909->914 915 a918ae-a918b8 909->915 910->875 917 a91ade-a91ae4 910->917 916 a91ac9-a91ad6 MoveFileExW 911->916 911->917 912->913 913->888 918 a9189c 914->918 919 a91891-a9189a 914->919 922 a918ba-a918c3 915->922 923 a918df-a91900 call a947cb 915->923 916->917 920 a91ad8 916->920 921 a91a19-a91a23 call a913b3 917->921 924 a9189e 918->924 925 a918a3-a918a4 918->925 919->918 920->910 921->875 927 a918c9-a918d0 922->927 928 a919dc-a919ec FindNextFileW 922->928 923->875 937 a91906-a91910 923->937 924->925 925->915 927->923 933 a918d2-a918d9 927->933 930 a91a6c-a91a71 GetLastError 928->930 931 a919ee-a919f4 928->931 935 a91a73-a91a75 930->935 936 a91a77-a91a7d GetLastError 930->936 931->915 933->923 933->928 935->897 940 a91a8a 936->940 941 a91a7f-a91a88 936->941 938 a9193f-a91946 937->938 939 a91912-a91914 937->939 943 a9194c-a9194e 938->943 944 a919d6 938->944 939->938 942 a91916-a91926 call a94574 939->942 945 a91a8c 940->945 946 a91a91-a91a97 940->946 941->940 942->875 953 a9192c-a91935 call a91700 942->953 948 a91969-a91977 DeleteFileW 943->948 949 a91950-a91963 SetFileAttributesW 943->949 944->928 945->946 946->921 948->944 952 a91979-a9197d 948->952 949->948 951 a919f9-a919ff GetLastError 949->951 954 a91a0c 951->954 955 a91a01-a91a0a 951->955 956 a91a4a-a91a50 GetLastError 952->956 957 a91983-a919a0 GetTempFileNameW 952->957 967 a9193a 953->967 961 a91a0e 954->961 962 a91a13-a91a14 954->962 955->954 958 a91a5d 956->958 959 a91a52-a91a5b 956->959 963 a91a28-a91a2e GetLastError 957->963 964 a919a6-a919c3 MoveFileExW 957->964 965 a91a5f 958->965 966 a91a64-a91a6a 958->966 959->958 961->962 962->921 968 a91a3b 963->968 969 a91a30-a91a39 963->969 970 a919ce 964->970 971 a919c5-a919cc 964->971 965->966 966->921 967->944 973 a91a3d 968->973 974 a91a42-a91a48 968->974 969->968 972 a919d4 MoveFileExW 970->972 971->972 972->944 973->974 974->921
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00A9175F
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00A91772
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 00A917BD
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00A917C7
                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 00A9181A
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00A91824
                                                                                                                                                                                                  • FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 00A91878
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00A91889
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 00A9195B
                                                                                                                                                                                                  • DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,00000001,00000000,?), ref: 00A9196F
                                                                                                                                                                                                  • GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 00A91998
                                                                                                                                                                                                  • MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 00A919BB
                                                                                                                                                                                                  • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00A919D4
                                                                                                                                                                                                  • FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 00A919E4
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00A919F9
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00A91A28
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00A91A4A
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00A91A6C
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00A91A77
                                                                                                                                                                                                  • RemoveDirectoryW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00A91AA0
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00A91AAA
                                                                                                                                                                                                  • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00A91ACE
                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 00A91AFA
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
                                                                                                                                                                                                  • String ID: *.*$DEL$c:\agent\_work\36\s\wix\src\libs\dutil\dirutil.cpp
                                                                                                                                                                                                  • API String ID: 1544372074-374933037
                                                                                                                                                                                                  • Opcode ID: 4ea33a59d1bea5598599e3a1f8bbe60070fec266e0a830ada16fa5e3423012bc
                                                                                                                                                                                                  • Instruction ID: 59d2f24031826c840ede39d3b612d4bd24ec7f5dbcde207f1316585915edd020
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4ea33a59d1bea5598599e3a1f8bbe60070fec266e0a830ada16fa5e3423012bc
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4EA1F776F4223BA7DF3197A58D44FAABAE96F00760F054691FD05BB190E6358D40CAE0
                                                                                                                                                                                                  Function 00AD76B2 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152libraryloadercomCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00AD7C60,00000000,?,00000000), ref: 00AD76CC
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00ABDB3B,?,00A970CB,?,00000000,?), ref: 00AD76D8
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00AD7718
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AD7724
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00AD772F
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AD7739
                                                                                                                                                                                                  • CoCreateInstance.OLE32(00AFF7E4,00000000,00000001,00ADE9F0,?,?,?,?,?,?,?,?,?,?,?,00ABDB3B), ref: 00AD7774
                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00AD7823
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Wow64RevertWow64FsRedirection, xrefs: 00AD7731
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp, xrefs: 00AD76FC
                                                                                                                                                                                                  • kernel32.dll, xrefs: 00AD76BC
                                                                                                                                                                                                  • Wow64EnableWow64FsRedirection, xrefs: 00AD7726
                                                                                                                                                                                                  • IsWow64Process, xrefs: 00AD7712
                                                                                                                                                                                                  • Wow64DisableWow64FsRedirection, xrefs: 00AD771E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                                                                                                                                                                                                  • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp$kernel32.dll
                                                                                                                                                                                                  • API String ID: 2124981135-1982296257
                                                                                                                                                                                                  • Opcode ID: 02ff6c685419407b7ed36d06e4b33148884a9c8003092568bcb8e03d219f3b9f
                                                                                                                                                                                                  • Instruction ID: a63c96b51371aa8435c4c1247609de0e4f4421d44029047bb17072ca5125f2ee
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 02ff6c685419407b7ed36d06e4b33148884a9c8003092568bcb8e03d219f3b9f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A241A535A05215ABDB28DBE8C884FAEB7A4FF14710F11496AFA06EB350E671DD40DB90
                                                                                                                                                                                                  Function 00A910E1 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 79fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A94E3A: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00A9114E,?,00000000), ref: 00A94E5B
                                                                                                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 00A91167
                                                                                                                                                                                                    • Part of subcall function 00A914FE: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00A9118B,cabinet.dll,00000009,?,?,00000000), ref: 00A9150F
                                                                                                                                                                                                    • Part of subcall function 00A914FE: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,00A9118B,cabinet.dll,00000009,?,?,00000000), ref: 00A9151A
                                                                                                                                                                                                    • Part of subcall function 00A914FE: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00A91528
                                                                                                                                                                                                    • Part of subcall function 00A914FE: GetLastError.KERNEL32(?,?,?,?,?,00A9118B,cabinet.dll,00000009,?,?,00000000), ref: 00A91543
                                                                                                                                                                                                    • Part of subcall function 00A914FE: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00A9154B
                                                                                                                                                                                                    • Part of subcall function 00A914FE: GetLastError.KERNEL32(?,?,?,?,?,00A9118B,cabinet.dll,00000009,?,?,00000000), ref: 00A91560
                                                                                                                                                                                                  • CloseHandle.KERNELBASE(?,?,?,?,00ADE4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00A911AA
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
                                                                                                                                                                                                  • String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
                                                                                                                                                                                                  • API String ID: 3687706282-3151496603
                                                                                                                                                                                                  • Opcode ID: c18ba8e50a7b7265dc7071a031af331db85639f5f6ecdf02184bcb8047d52fe2
                                                                                                                                                                                                  • Instruction ID: 57588bf0fb9158d9b03d3f17bfb243c36d93710006488480588a77b95cfd9c69
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c18ba8e50a7b7265dc7071a031af331db85639f5f6ecdf02184bcb8047d52fe2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF2160B1B01219ABDF10EFA4DD45BDEBBF8EF08714F50461AF912BA290D7719905CBA0
                                                                                                                                                                                                  Function 00AABD11 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 104fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00AA9EF0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AA9F4F
                                                                                                                                                                                                    • Part of subcall function 00AA9EF0: GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00AA9F75
                                                                                                                                                                                                    • Part of subcall function 00AA9EF0: GetLastError.KERNEL32 ref: 00AA9F7F
                                                                                                                                                                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY),00000001,?,00000000), ref: 00AABD60
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,840F01E8,00A97083,00000000,00A9714F,840F01E8), ref: 00AABD69
                                                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 00AABE0C
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                    • Part of subcall function 00A91B27: CreateDirectoryW.KERNELBASE(00000000,00A97083,00000000,00000000,?,00AABDBF,00000000,00000000,?,00000000,840F01E8,00A97083,00000000,00A9714F,840F01E8), ref: 00A91B35
                                                                                                                                                                                                    • Part of subcall function 00A91B27: GetLastError.KERNEL32(?,00AABDBF,00000000,00000000,?,00000000,840F01E8,00A97083,00000000,00A9714F,840F01E8), ref: 00A91B43
                                                                                                                                                                                                  • DecryptFileW.ADVAPI32(00000000,00000000), ref: 00AABDD0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to create the security descriptor for the working folder., xrefs: 00AABD97
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 00AABD8D
                                                                                                                                                                                                  • Failed to copy working folder., xrefs: 00AABDED
                                                                                                                                                                                                  • D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY), xrefs: 00AABD5B
                                                                                                                                                                                                  • Failed create working folder., xrefs: 00AABDC5
                                                                                                                                                                                                  • Failed to calculate working folder to ensure it exists., xrefs: 00AABD3D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$DescriptorDirectoryHeapProcessSecurity$AllocateConvertCreateCurrentDecryptFileFreeLocalStringWindows
                                                                                                                                                                                                  • String ID: D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)$Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.$Failed to create the security descriptor for the working folder.$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp
                                                                                                                                                                                                  • API String ID: 1593575373-1634687223
                                                                                                                                                                                                  • Opcode ID: 387f33aecbabc1b77a2fe30ea3f4f70ed40b0bccc01957611b590c7f6fdb7894
                                                                                                                                                                                                  • Instruction ID: b6e38e65223e8da50acd0e2a7264679836006255300f246f3cb909603e6d3ea0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 387f33aecbabc1b77a2fe30ea3f4f70ed40b0bccc01957611b590c7f6fdb7894
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4631A832D50765BBCB21AF95DD819DFBBB8EF01751F10416AF9017B192DB708E0087A0
                                                                                                                                                                                                  Function 00A93B2C Relevance: 3.0, APIs: 2, Instructions: 43fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 00A93B67
                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,?,00000000), ref: 00A93B73
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2295610775-0
                                                                                                                                                                                                  • Opcode ID: 9e1cc06a35d3cf17aac96ed3d3bf0eba76bbd5546da47447db2e3004b86da132
                                                                                                                                                                                                  • Instruction ID: 808547450cd5cee2359f6166c2b5c7794484c320fc7801d5478063b5deae52d4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e1cc06a35d3cf17aac96ed3d3bf0eba76bbd5546da47447db2e3004b86da132
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F01D6727001089BDF10EFA5DD89EABB7BCEBC5325F00016AF509D7180C6749E498A60
                                                                                                                                                                                                  Function 00A950E9 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$AllocateProcess
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1357844191-0
                                                                                                                                                                                                  • Opcode ID: b4e67880074c013dd2862f71a2e79ce6287b6b1da1e8b09575230947924ac084
                                                                                                                                                                                                  • Instruction ID: a6c4d0364318c69b361cf979709b840fd983c296706f7f098b92f205c160fd44
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4e67880074c013dd2862f71a2e79ce6287b6b1da1e8b09575230947924ac084
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CAC01232290218AB8F00EFF4DC0DC553B9CAB246027008501B506CA050D638E1118761
                                                                                                                                                                                                  Function 00A9FC13 Relevance: 124.9, APIs: 11, Strings: 60, Instructions: 648COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00A9FD38
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00AA041C
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • comres.dll, xrefs: 00A9FF14
                                                                                                                                                                                                  • RollbackBoundaryForward, xrefs: 00A9FFBF
                                                                                                                                                                                                  • Permanent, xrefs: 00A9FF15
                                                                                                                                                                                                  • Failed to find forward transaction boundary: %ls, xrefs: 00AA01E6
                                                                                                                                                                                                  • MsiPackage, xrefs: 00AA0075
                                                                                                                                                                                                  • Failed to get @Vital., xrefs: 00AA039E
                                                                                                                                                                                                  • Failed to get @Size., xrefs: 00AA03BA
                                                                                                                                                                                                  • Cache, xrefs: 00A9FE2B
                                                                                                                                                                                                  • Failed to get @InstallCondition., xrefs: 00AA01D9
                                                                                                                                                                                                  • InstallCondition, xrefs: 00A9FF9C
                                                                                                                                                                                                  • Failed to get @InstallSize., xrefs: 00AA03B3
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\package.cpp, xrefs: 00A9FC9E, 00A9FDC3, 00AA01AF, 00AA0244
                                                                                                                                                                                                  • Failed to get @RollbackBoundaryForward., xrefs: 00AA01F0
                                                                                                                                                                                                  • Failed to get rollback bundary node count., xrefs: 00A9FC6E
                                                                                                                                                                                                  • RollbackLogPathVariable, xrefs: 00A9FF79
                                                                                                                                                                                                  • Failed to get @CacheId., xrefs: 00AA03C1
                                                                                                                                                                                                  • Failed to get @Permanent., xrefs: 00AA03A5
                                                                                                                                                                                                  • Failed to parse target product codes., xrefs: 00AA0381
                                                                                                                                                                                                  • Failed to select package nodes., xrefs: 00A9FD74
                                                                                                                                                                                                  • LogPathVariable, xrefs: 00A9FF56
                                                                                                                                                                                                  • Failed to get @RollbackLogPathVariable., xrefs: 00AA01CF
                                                                                                                                                                                                  • msi.dll, xrefs: 00A9FEA8
                                                                                                                                                                                                  • cabinet.dll, xrefs: 00A9FEDE
                                                                                                                                                                                                  • crypt32.dll, xrefs: 00A9FF9B
                                                                                                                                                                                                  • InstallSize, xrefs: 00A9FEDF
                                                                                                                                                                                                  • Failed to allocate memory for package structs., xrefs: 00A9FDCF
                                                                                                                                                                                                  • Vital, xrefs: 00A9FD07, 00A9FF3B
                                                                                                                                                                                                  • Failed to parse MSP package., xrefs: 00AA0211
                                                                                                                                                                                                  • Failed to parse payload references., xrefs: 00AA0397
                                                                                                                                                                                                  • feclient.dll, xrefs: 00A9FF78
                                                                                                                                                                                                  • clbcatq.dll, xrefs: 00A9FEF9
                                                                                                                                                                                                  • Failed to get @PerMachine., xrefs: 00AA03AC
                                                                                                                                                                                                  • Failed to parse MSU package., xrefs: 00AA021B
                                                                                                                                                                                                  • Failed to parse dependency providers., xrefs: 00AA0390
                                                                                                                                                                                                  • RollbackBoundaryBackward, xrefs: 00A9FFF9
                                                                                                                                                                                                  • wininet.dll, xrefs: 00A9FF3A
                                                                                                                                                                                                  • Size, xrefs: 00A9FEC4
                                                                                                                                                                                                  • Failed to allocate memory for MSP patch sequence information., xrefs: 00AA01BB
                                                                                                                                                                                                  • yes, xrefs: 00A9FE67
                                                                                                                                                                                                  • Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 00A9FD61
                                                                                                                                                                                                  • Failed to parse EXE package., xrefs: 00AA0069
                                                                                                                                                                                                  • MsuPackage, xrefs: 00AA00E6
                                                                                                                                                                                                  • Failed to allocate memory for rollback boundary structs., xrefs: 00A9FCAA
                                                                                                                                                                                                  • ExePackage, xrefs: 00AA0037
                                                                                                                                                                                                  • Failed to get @RollbackBoundaryBackward., xrefs: 00AA0207
                                                                                                                                                                                                  • always, xrefs: 00A9FE87
                                                                                                                                                                                                  • Failed to select rollback boundary nodes., xrefs: 00A9FC49
                                                                                                                                                                                                  • Failed to get @Id., xrefs: 00AA03E7
                                                                                                                                                                                                  • Invalid cache type: %ls, xrefs: 00AA03D0
                                                                                                                                                                                                  • Failed to allocate memory for patch sequence information to package lookup., xrefs: 00AA0250
                                                                                                                                                                                                  • Failed to get next node., xrefs: 00AA03EE
                                                                                                                                                                                                  • Failed to find backward transaction boundary: %ls, xrefs: 00AA01FD
                                                                                                                                                                                                  • Failed to get @Cache., xrefs: 00AA03E0
                                                                                                                                                                                                  • MspPackage, xrefs: 00AA00AD
                                                                                                                                                                                                  • Failed to parse MSI package., xrefs: 00AA00A1
                                                                                                                                                                                                  • RollbackBoundary, xrefs: 00A9FC36
                                                                                                                                                                                                  • CacheId, xrefs: 00A9FEA9
                                                                                                                                                                                                  • Failed to get @LogPathVariable., xrefs: 00AA01C5
                                                                                                                                                                                                  • PerMachine, xrefs: 00A9FEFA
                                                                                                                                                                                                  • Failed to get package node count., xrefs: 00A9FD91
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeHeapString$AllocateProcess
                                                                                                                                                                                                  • String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$always$c:\agent\_work\36\s\wix\src\burn\engine\package.cpp$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$wininet.dll$yes
                                                                                                                                                                                                  • API String ID: 336948655-1663091911
                                                                                                                                                                                                  • Opcode ID: 939a2ebd2cb1b05d9ae02cada3b70c26ad71be6b49764b80e0b5648049d2f6b7
                                                                                                                                                                                                  • Instruction ID: 0157d8dba52f29c86e618c76f68502e71053f6d7ff09fd41e8aa388ecdaa2e96
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 939a2ebd2cb1b05d9ae02cada3b70c26ad71be6b49764b80e0b5648049d2f6b7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F232B072E00226BBCF219B65CD45FAEB6B4BF05720F214665F911BB2D1D771DE009BA0
                                                                                                                                                                                                  Function 00AA16B9 Relevance: 114.2, APIs: 3, Strings: 62, Instructions: 445COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 220 aa16b9-aa16ea call ad7ffe 223 aa16ee-aa16f0 220->223 224 aa16ec 220->224 225 aa16f2-aa16ff call ad53e7 223->225 226 aa1704-aa171d call ad7952 223->226 224->223 231 aa1bec-aa1bf1 225->231 232 aa1729-aa173e call ad7952 226->232 233 aa171f-aa1724 226->233 234 aa1bf9-aa1bfe 231->234 235 aa1bf3-aa1bf5 231->235 242 aa174a-aa1757 call aa0733 232->242 243 aa1740-aa1745 232->243 236 aa1be3-aa1bea call ad53e7 233->236 239 aa1c00-aa1c02 234->239 240 aa1c06-aa1c0b 234->240 235->234 248 aa1beb 236->248 239->240 245 aa1c0d-aa1c0f 240->245 246 aa1c13-aa1c17 240->246 253 aa1759-aa175e 242->253 254 aa1763-aa1778 call ad7952 242->254 243->236 245->246 249 aa1c19-aa1c1c call a93136 246->249 250 aa1c21-aa1c26 246->250 248->231 249->250 253->236 257 aa177a-aa177f 254->257 258 aa1784-aa1796 call a9436c 254->258 257->236 261 aa1798-aa17a0 258->261 262 aa17a5-aa17ba call ad7952 258->262 263 aa1a6f-aa1a78 call ad53e7 261->263 267 aa17bc-aa17c1 262->267 268 aa17c6-aa17db call ad7952 262->268 263->248 267->236 272 aa17dd-aa17e2 268->272 273 aa17e7-aa17f9 call ad7b5e 268->273 272->236 276 aa17fb-aa1800 273->276 277 aa1805-aa181b call ad7ffe 273->277 276->236 280 aa1aca-aa1ae4 call aa09ad 277->280 281 aa1821-aa1823 277->281 288 aa1af0-aa1b08 call ad7ffe 280->288 289 aa1ae6-aa1aeb 280->289 282 aa182f-aa1844 call ad7b5e 281->282 283 aa1825-aa182a 281->283 290 aa1850-aa1865 call ad7952 282->290 291 aa1846-aa184b 282->291 283->236 296 aa1b0e-aa1b10 288->296 297 aa1bd2-aa1bd3 call aa0ddd 288->297 289->236 298 aa1867-aa1869 290->298 299 aa1875-aa188a call ad7952 290->299 291->236 300 aa1b1c-aa1b3a call ad7952 296->300 301 aa1b12-aa1b17 296->301 306 aa1bd8-aa1bdc 297->306 298->299 303 aa186b-aa1870 298->303 310 aa189a-aa18af call ad7952 299->310 311 aa188c-aa188e 299->311 312 aa1b3c-aa1b41 300->312 313 aa1b46-aa1b5e call ad7952 300->313 301->236 303->236 306->248 307 aa1bde 306->307 307->236 321 aa18bf-aa18d4 call ad7952 310->321 322 aa18b1-aa18b3 310->322 311->310 314 aa1890-aa1895 311->314 312->236 319 aa1b6b-aa1b83 call ad7952 313->319 320 aa1b60-aa1b62 313->320 314->236 329 aa1b90-aa1ba8 call ad7952 319->329 330 aa1b85-aa1b87 319->330 320->319 326 aa1b64-aa1b69 320->326 331 aa18d6-aa18d8 321->331 332 aa18e4-aa18f9 call ad7952 321->332 322->321 323 aa18b5-aa18ba 322->323 323->236 326->236 339 aa1baa-aa1baf 329->339 340 aa1bb1-aa1bc9 call ad7952 329->340 330->329 333 aa1b89-aa1b8e 330->333 331->332 334 aa18da-aa18df 331->334 341 aa18fb-aa18fd 332->341 342 aa1909-aa191e call ad7952 332->342 333->236 334->236 339->236 340->297 348 aa1bcb-aa1bd0 340->348 341->342 344 aa18ff-aa1904 341->344 349 aa192e-aa1943 call ad7952 342->349 350 aa1920-aa1922 342->350 344->236 348->236 354 aa1953-aa1968 call ad7952 349->354 355 aa1945-aa1947 349->355 350->349 352 aa1924-aa1929 350->352 352->236 359 aa196a-aa196c 354->359 360 aa1978-aa1990 call ad7952 354->360 355->354 356 aa1949-aa194e 355->356 356->236 359->360 361 aa196e-aa1973 359->361 364 aa1992-aa1994 360->364 365 aa19a0-aa19b8 call ad7952 360->365 361->236 364->365 367 aa1996-aa199b 364->367 369 aa19ba-aa19bc 365->369 370 aa19c8-aa19dd call ad7952 365->370 367->236 369->370 371 aa19be-aa19c3 369->371 374 aa1a7d-aa1a7f 370->374 375 aa19e3-aa1a00 CompareStringW 370->375 371->236 376 aa1a8a-aa1a8c 374->376 377 aa1a81-aa1a88 374->377 378 aa1a0a-aa1a1f CompareStringW 375->378 379 aa1a02-aa1a08 375->379 380 aa1a98-aa1ab0 call ad7b5e 376->380 381 aa1a8e-aa1a93 376->381 377->376 383 aa1a2d-aa1a42 CompareStringW 378->383 384 aa1a21-aa1a2b 378->384 382 aa1a4b-aa1a50 379->382 380->280 391 aa1ab2-aa1ab4 380->391 381->236 382->376 386 aa1a52-aa1a6a call a913b3 383->386 387 aa1a44 383->387 384->382 386->263 387->382 392 aa1ac0 391->392 393 aa1ab6-aa1abb 391->393 392->280 393->236
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: StringVariant$AllocClearFreeInit
                                                                                                                                                                                                  • String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$c:\agent\_work\36\s\wix\src\burn\engine\registration.cpp$yes$
                                                                                                                                                                                                  • API String ID: 760788290-4060943106
                                                                                                                                                                                                  • Opcode ID: b82dcc16cbb28c8fa27f81602135ada3a2bdfd0f627fc21144d621dbb2c18151
                                                                                                                                                                                                  • Instruction ID: 32d3223143c058ce82bbc7debc510e197f7ae7feca959d7c543b7d1cdf435b3c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b82dcc16cbb28c8fa27f81602135ada3a2bdfd0f627fc21144d621dbb2c18151
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09E14B33E446B6BBCB22A6A5CD91EBD76BCBF0A710F150661F921B72D0E7609D0097D0
                                                                                                                                                                                                  Function 00A9D197 Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 577fileCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 394 a9d197-a9d20c call ac0ec0 * 2 399 a9d20e-a9d218 GetLastError 394->399 400 a9d244-a9d24a 394->400 403 a9d21a-a9d223 399->403 404 a9d225 399->404 401 a9d24c 400->401 402 a9d24e-a9d260 SetFilePointerEx 400->402 401->402 405 a9d262-a9d26c GetLastError 402->405 406 a9d294-a9d2ae ReadFile 402->406 403->404 407 a9d22c-a9d239 call a913b3 404->407 408 a9d227 404->408 409 a9d279 405->409 410 a9d26e-a9d277 405->410 411 a9d2b0-a9d2ba GetLastError 406->411 412 a9d2e5-a9d2ec 406->412 426 a9d23e-a9d23f 407->426 408->407 416 a9d27b 409->416 417 a9d280-a9d292 call a913b3 409->417 410->409 418 a9d2bc-a9d2c5 411->418 419 a9d2c7 411->419 414 a9d8e3-a9d8f7 call a913b3 412->414 415 a9d2f2-a9d2fb 412->415 434 a9d8fc 414->434 415->414 422 a9d301-a9d311 SetFilePointerEx 415->422 416->417 417->426 418->419 424 a9d2c9 419->424 425 a9d2ce-a9d2e0 call a913b3 419->425 428 a9d348-a9d360 ReadFile 422->428 429 a9d313-a9d31d GetLastError 422->429 424->425 425->426 432 a9d8fd-a9d903 call ad53e7 426->432 438 a9d362-a9d36c GetLastError 428->438 439 a9d397-a9d39e 428->439 436 a9d32a 429->436 437 a9d31f-a9d328 429->437 449 a9d904-a9d914 call ac0093 432->449 434->432 443 a9d32c 436->443 444 a9d331-a9d33e call a913b3 436->444 437->436 445 a9d379 438->445 446 a9d36e-a9d377 438->446 441 a9d8c8-a9d8e1 call a913b3 439->441 442 a9d3a4-a9d3ae 439->442 441->434 442->441 450 a9d3b4-a9d3d7 SetFilePointerEx 442->450 443->444 444->428 447 a9d37b 445->447 448 a9d380-a9d38d call a913b3 445->448 446->445 447->448 448->439 455 a9d3d9-a9d3e3 GetLastError 450->455 456 a9d40e-a9d426 ReadFile 450->456 463 a9d3f0 455->463 464 a9d3e5-a9d3ee 455->464 459 a9d428-a9d432 GetLastError 456->459 460 a9d45d-a9d475 ReadFile 456->460 465 a9d43f 459->465 466 a9d434-a9d43d 459->466 467 a9d4ac-a9d4c7 SetFilePointerEx 460->467 468 a9d477-a9d481 GetLastError 460->468 469 a9d3f2 463->469 470 a9d3f7-a9d404 call a913b3 463->470 464->463 473 a9d441 465->473 474 a9d446-a9d453 call a913b3 465->474 466->465 471 a9d4c9-a9d4d3 GetLastError 467->471 472 a9d501-a9d520 ReadFile 467->472 475 a9d48e 468->475 476 a9d483-a9d48c 468->476 469->470 470->456 478 a9d4e0 471->478 479 a9d4d5-a9d4de 471->479 481 a9d889-a9d893 GetLastError 472->481 482 a9d526-a9d528 472->482 473->474 474->460 483 a9d490 475->483 484 a9d495-a9d4a2 call a913b3 475->484 476->475 488 a9d4e2 478->488 489 a9d4e7-a9d4f7 call a913b3 478->489 479->478 486 a9d8a0 481->486 487 a9d895-a9d89e 481->487 491 a9d529-a9d530 482->491 483->484 484->467 494 a9d8a2 486->494 495 a9d8a7-a9d8bd call a913b3 486->495 487->486 488->489 489->472 497 a9d864-a9d881 call a913b3 491->497 498 a9d536-a9d542 491->498 494->495 514 a9d8be-a9d8c6 call ad53e7 495->514 509 a9d886-a9d887 497->509 502 a9d54d-a9d556 498->502 503 a9d544-a9d54b 498->503 506 a9d55c-a9d582 ReadFile 502->506 507 a9d827-a9d83e call a913b3 502->507 503->502 505 a9d590-a9d597 503->505 511 a9d599-a9d5bb call a913b3 505->511 512 a9d5c0-a9d5d7 call a950e9 505->512 506->481 510 a9d588-a9d58e 506->510 520 a9d843-a9d849 call ad53e7 507->520 509->514 510->491 511->509 524 a9d5d9-a9d5f6 call a913b3 512->524 525 a9d5fb-a9d610 SetFilePointerEx 512->525 514->449 530 a9d84f-a9d850 520->530 524->432 528 a9d650-a9d675 ReadFile 525->528 529 a9d612-a9d61c GetLastError 525->529 531 a9d6ac-a9d6b8 528->531 532 a9d677-a9d681 GetLastError 528->532 534 a9d629 529->534 535 a9d61e-a9d627 529->535 540 a9d851-a9d853 530->540 536 a9d6db-a9d6df 531->536 537 a9d6ba-a9d6d6 call a913b3 531->537 541 a9d68e 532->541 542 a9d683-a9d68c 532->542 538 a9d62b 534->538 539 a9d630-a9d640 call a913b3 534->539 535->534 545 a9d71a-a9d72d call a940de 536->545 546 a9d6e1-a9d715 call a913b3 call ad53e7 536->546 537->520 538->539 556 a9d645-a9d64b call ad53e7 539->556 540->449 547 a9d859-a9d85f call a951ae 540->547 548 a9d690 541->548 549 a9d695-a9d6aa call a913b3 541->549 542->541 563 a9d739-a9d743 545->563 564 a9d72f-a9d734 545->564 546->540 547->449 548->549 549->556 556->530 567 a9d74d-a9d755 563->567 568 a9d745-a9d74b 563->568 564->556 570 a9d761-a9d764 567->570 571 a9d757-a9d75f 567->571 569 a9d766-a9d7c6 call a950e9 568->569 574 a9d7c8-a9d7e4 call a913b3 569->574 575 a9d7ea-a9d80b call ac1020 call a9cf14 569->575 570->569 571->569 574->575 575->540 582 a9d80d-a9d81d call a913b3 575->582 582->507
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,7752C3F0,00000000), ref: 00A9D20E
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D25C
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,7752C3F0,00000000), ref: 00A9D262
                                                                                                                                                                                                  • ReadFile.KERNELBASE(00000000,00A96139,00000040,?,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D2AA
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,7752C3F0,00000000), ref: 00A9D2B0
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D30D
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D313
                                                                                                                                                                                                  • ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D35C
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D362
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D3D3
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D3D9
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D422
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D428
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D471
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D477
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D4C3
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D4C9
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D51C
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D57E
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D608
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9D612
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
                                                                                                                                                                                                  • String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$c:\agent\_work\36\s\wix\src\burn\engine\section.cpp
                                                                                                                                                                                                  • API String ID: 3411815225-1899484497
                                                                                                                                                                                                  • Opcode ID: b98189aebea5d13702a4185b44323eb65f60eae7bdb38cd000e8f70332b80254
                                                                                                                                                                                                  • Instruction ID: df6b405b156ef899ea1986209f8037bccd750fc0e503ac140c7bd655fb7b1d8f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b98189aebea5d13702a4185b44323eb65f60eae7bdb38cd000e8f70332b80254
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B112B476B80235BBDF209B55CD45FAA7AF8AB41710F014295BE08BF281E6749D81CBE1
                                                                                                                                                                                                  Function 00AB28E5 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 585 ab28e5-ab28fc SetEvent 586 ab293e-ab294c WaitForSingleObject 585->586 587 ab28fe-ab2908 GetLastError 585->587 588 ab294e-ab2958 GetLastError 586->588 589 ab2983-ab298e ResetEvent 586->589 590 ab290a-ab2913 587->590 591 ab2915 587->591 596 ab295a-ab2963 588->596 597 ab2965 588->597 592 ab29c8-ab29ce 589->592 593 ab2990-ab299a GetLastError 589->593 590->591 594 ab291c-ab292c call a913b3 591->594 595 ab2917 591->595 601 ab2a01-ab2a1a call a92c89 592->601 602 ab29d0-ab29d3 592->602 598 ab299c-ab29a5 593->598 599 ab29a7 593->599 612 ab2931-ab2939 call ad53e7 594->612 595->594 596->597 603 ab296c-ab2981 call a913b3 597->603 604 ab2967 597->604 598->599 605 ab29a9 599->605 606 ab29ae-ab29c3 call a913b3 599->606 618 ab2a1c-ab2a2d call ad53e7 601->618 619 ab2a32-ab2a3d SetEvent 601->619 608 ab29f7-ab29fc 602->608 609 ab29d5-ab29f2 call a913b3 602->609 603->612 604->603 605->606 606->612 615 ab2cb7-ab2cbc 608->615 629 ab2cad-ab2cb3 call ad53e7 609->629 612->615 620 ab2cbe 615->620 621 ab2cc1-ab2cc7 615->621 636 ab2cb4-ab2cb6 618->636 626 ab2a3f-ab2a49 GetLastError 619->626 627 ab2a77-ab2a85 WaitForSingleObject 619->627 620->621 631 ab2a4b-ab2a54 626->631 632 ab2a56 626->632 633 ab2abf-ab2aca ResetEvent 627->633 634 ab2a87-ab2a91 GetLastError 627->634 629->636 631->632 639 ab2a58 632->639 640 ab2a5d-ab2a72 call a913b3 632->640 637 ab2acc-ab2ad6 GetLastError 633->637 638 ab2b04-ab2b0b 633->638 641 ab2a9e 634->641 642 ab2a93-ab2a9c 634->642 636->615 644 ab2ad8-ab2ae1 637->644 645 ab2ae3 637->645 647 ab2b7a-ab2b9d CreateFileW 638->647 648 ab2b0d-ab2b10 638->648 639->640 664 ab2cac 640->664 649 ab2aa0 641->649 650 ab2aa5-ab2aba call a913b3 641->650 642->641 644->645 652 ab2aea-ab2aff call a913b3 645->652 653 ab2ae5 645->653 655 ab2bda-ab2bee SetFilePointerEx 647->655 656 ab2b9f-ab2ba9 GetLastError 647->656 657 ab2b3d-ab2b41 call a950e9 648->657 658 ab2b12-ab2b15 648->658 649->650 650->664 652->664 653->652 660 ab2c28-ab2c33 SetEndOfFile 655->660 661 ab2bf0-ab2bfa GetLastError 655->661 665 ab2bab-ab2bb4 656->665 666 ab2bb6 656->666 671 ab2b46-ab2b4b 657->671 667 ab2b17-ab2b1a 658->667 668 ab2b36-ab2b38 658->668 673 ab2c6a-ab2c77 SetFilePointerEx 660->673 674 ab2c35-ab2c3f GetLastError 660->674 669 ab2bfc-ab2c05 661->669 670 ab2c07 661->670 664->629 665->666 675 ab2bb8 666->675 676 ab2bbd-ab2bd0 call a913b3 666->676 677 ab2b2c-ab2b31 667->677 678 ab2b1c-ab2b22 667->678 668->615 669->670 683 ab2c09 670->683 684 ab2c0e-ab2c23 call a913b3 670->684 681 ab2b4d-ab2b67 call a913b3 671->681 682 ab2b6c-ab2b75 671->682 673->636 680 ab2c79-ab2c83 GetLastError 673->680 685 ab2c4c 674->685 686 ab2c41-ab2c4a 674->686 675->676 676->655 677->636 678->677 688 ab2c90 680->688 689 ab2c85-ab2c8e 680->689 681->664 682->636 683->684 684->664 692 ab2c4e 685->692 693 ab2c53-ab2c68 call a913b3 685->693 686->685 695 ab2c92 688->695 696 ab2c97-ab2ca7 call a913b3 688->696 689->688 692->693 693->664 695->696 696->664
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,00AB2495,?,?), ref: 00AB28F4
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00AB2495,?,?), ref: 00AB28FE
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,00AB2495,?,?), ref: 00AB2943
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00AB2495,?,?), ref: 00AB294E
                                                                                                                                                                                                  • ResetEvent.KERNEL32(?,?,?,?,?,00AB2495,?,?), ref: 00AB2986
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00AB2495,?,?), ref: 00AB2990
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$Event$ObjectResetSingleWait
                                                                                                                                                                                                  • String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 1865021742-3295966698
                                                                                                                                                                                                  • Opcode ID: 7149401f29c05a83de31ed63d7a15752d703446b0e416cc619dbac89f2c89e46
                                                                                                                                                                                                  • Instruction ID: 40dab7ef8dd2fa397e8ffb1b356da207a1fd84ad249b575afb30028c26358425
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7149401f29c05a83de31ed63d7a15752d703446b0e416cc619dbac89f2c89e46
                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED912833AC163377E73197A98E49BAA3A68BF01B60F010317BE45BE6D2D655DC0087E1
                                                                                                                                                                                                  Function 00A96E5B Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 314COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 975 a96e5b-a96f09 call ac0ec0 * 2 GetModuleHandleW call ad56a2 call ad5856 call a91591 986 a96f0b 975->986 987 a96f1f-a96f30 call a95faf 975->987 988 a96f10-a96f1a call ad53e7 986->988 993 a96f39-a96f55 call a972dc CoInitializeEx 987->993 994 a96f32-a96f37 987->994 995 a9719a-a971a1 988->995 1000 a96f5e-a96f6a call ad4e59 993->1000 1001 a96f57-a96f5c 993->1001 994->988 998 a971ae-a971b0 995->998 999 a971a3-a971a9 call a93136 995->999 1003 a971c0-a971de call a9f514 call aac5d1 call aac81c 998->1003 1004 a971b2-a971b9 998->1004 999->998 1011 a96f6c 1000->1011 1012 a96f7e-a96f8d call a956c9 1000->1012 1001->988 1024 a9720c-a9721f call a96c6a 1003->1024 1025 a971e0-a971e8 1003->1025 1004->1003 1005 a971bb call aa5eaf 1004->1005 1005->1003 1014 a96f71-a96f79 call ad53e7 1011->1014 1022 a96f8f-a96f94 1012->1022 1023 a96f96-a96fa5 call ad715d 1012->1023 1014->995 1022->1014 1030 a96fae-a96fbd call ad7bbc 1023->1030 1031 a96fa7-a96fac 1023->1031 1035 a97221 call ad8084 1024->1035 1036 a97226-a9722d 1024->1036 1025->1024 1028 a971ea-a971ed 1025->1028 1028->1024 1033 a971ef-a9720a call aa600f call a972c6 1028->1033 1043 a96fbf-a96fc4 1030->1043 1044 a96fc6-a96fe5 GetVersionExW 1030->1044 1031->1014 1033->1024 1035->1036 1040 a9722f call ad7563 1036->1040 1041 a97234-a9723b 1036->1041 1040->1041 1046 a9723d call a95d15 1041->1046 1047 a97242-a97249 1041->1047 1043->1014 1049 a9701f-a97064 call a94e3a call a972c6 1044->1049 1050 a96fe7-a96ff1 GetLastError 1044->1050 1046->1047 1052 a9724b call ad4f68 1047->1052 1053 a97250-a97252 1047->1053 1075 a97077-a97087 call aa916b 1049->1075 1076 a97066-a97071 call a93136 1049->1076 1055 a96ffe 1050->1055 1056 a96ff3-a96ffc 1050->1056 1052->1053 1059 a9725a-a97261 1053->1059 1060 a97254 CoUninitialize 1053->1060 1063 a97000 1055->1063 1064 a97005-a9701a call a913b3 1055->1064 1056->1055 1061 a9729c-a972a5 call ad52c5 1059->1061 1062 a97263-a97265 1059->1062 1060->1059 1078 a972ac-a972c3 call ad59a8 call ac0093 1061->1078 1079 a972a7 call a962c2 1061->1079 1067 a9726b-a97271 1062->1067 1068 a97267-a97269 1062->1068 1063->1064 1064->1014 1072 a97273-a9728c call aa5a44 call a972c6 1067->1072 1068->1072 1072->1061 1094 a9728e-a9729b call a972c6 1072->1094 1090 a97089 1075->1090 1091 a97093-a9709c 1075->1091 1076->1075 1079->1078 1090->1091 1095 a970a2-a970a5 1091->1095 1096 a97164-a97171 call a96a03 1091->1096 1094->1061 1099 a970ab-a970ae 1095->1099 1100 a9713c-a97158 call a967b3 1095->1100 1102 a97176-a9717a 1096->1102 1104 a970b0-a970b3 1099->1104 1105 a97114-a97130 call a965bf 1099->1105 1108 a97186-a97198 1100->1108 1112 a9715a 1100->1112 1107 a9717c 1102->1107 1102->1108 1110 a970ec-a97108 call a96756 1104->1110 1111 a970b5-a970b8 1104->1111 1105->1108 1119 a97132 1105->1119 1107->1108 1108->995 1110->1108 1121 a9710a 1110->1121 1115 a970c9-a970dc call a96952 1111->1115 1116 a970ba-a970bf 1111->1116 1112->1096 1115->1108 1122 a970e2 1115->1122 1116->1115 1119->1100 1121->1105 1122->1110
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A96EDD
                                                                                                                                                                                                    • Part of subcall function 00AD56A2: InitializeCriticalSection.KERNEL32(00AFF764,?,00A96EE9,00000000,?,?,?,?,?,?), ref: 00AD56B9
                                                                                                                                                                                                    • Part of subcall function 00A91591: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00A96F05,00000000,?), ref: 00A915CF
                                                                                                                                                                                                    • Part of subcall function 00A91591: GetLastError.KERNEL32(?,?,?,00A96F05,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00A915D9
                                                                                                                                                                                                  • CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00A96F4B
                                                                                                                                                                                                    • Part of subcall function 00A956C9: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00A956EA
                                                                                                                                                                                                  • GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00A96FDD
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00A96FE7
                                                                                                                                                                                                  • CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A97254
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to initialize COM., xrefs: 00A96F57
                                                                                                                                                                                                  • Failed to run per-machine mode., xrefs: 00A97132
                                                                                                                                                                                                  • Failed to run embedded mode., xrefs: 00A9710A
                                                                                                                                                                                                  • 3.14.1.8722, xrefs: 00A9704A
                                                                                                                                                                                                  • Invalid run mode., xrefs: 00A970BF
                                                                                                                                                                                                  • Failed to initialize Regutil., xrefs: 00A96F8F
                                                                                                                                                                                                  • Failed to initialize core., xrefs: 00A97089
                                                                                                                                                                                                  • Failed to initialize engine state., xrefs: 00A96F32
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp, xrefs: 00A9700B
                                                                                                                                                                                                  • Failed to run RunOnce mode., xrefs: 00A970E2
                                                                                                                                                                                                  • Failed to run untrusted mode., xrefs: 00A9717C
                                                                                                                                                                                                  • Failed to run per-user mode., xrefs: 00A9715A
                                                                                                                                                                                                  • Failed to parse command line., xrefs: 00A96F0B
                                                                                                                                                                                                  • Failed to initialize Wiutil., xrefs: 00A96FA7
                                                                                                                                                                                                  • Failed to get OS info., xrefs: 00A97015
                                                                                                                                                                                                  • Failed to initialize XML util., xrefs: 00A96FBF
                                                                                                                                                                                                  • , xrefs: 00A971BB
                                                                                                                                                                                                  • Failed to initialize Cryputil., xrefs: 00A96F6C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
                                                                                                                                                                                                  • String ID: 3.14.1.8722$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp$
                                                                                                                                                                                                  • API String ID: 3262001429-808583736
                                                                                                                                                                                                  • Opcode ID: efe8014786be91904194f84fda1dc1a5b3d32250514f00a362bea496c73755d9
                                                                                                                                                                                                  • Instruction ID: 4d211922ffc7a278f3c08696dd7275ba469a507e9b2a5ae453711e58731d441f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: efe8014786be91904194f84fda1dc1a5b3d32250514f00a362bea496c73755d9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0CB1B432F54229ABDF31AF64CD46BED76F4AF04710F0501D6F909BA251DA309E84CEA1
                                                                                                                                                                                                  Function 00A96A03 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 219COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1123 a96a03-a96a4b call ac0ec0 call a94e3a 1128 a96a4d-a96a5a call ad53e7 1123->1128 1129 a96a5f-a96a69 call aab554 1123->1129 1134 a96bfb-a96c05 1128->1134 1135 a96a6b-a96a70 1129->1135 1136 a96a72-a96a81 call aab55a 1129->1136 1137 a96c10-a96c14 1134->1137 1138 a96c07-a96c0c CloseHandle 1134->1138 1139 a96aa7-a96ac2 call a929f6 1135->1139 1144 a96a86-a96a8a 1136->1144 1142 a96c1f-a96c23 1137->1142 1143 a96c16-a96c1b CloseHandle 1137->1143 1138->1137 1153 a96acb-a96adf call aa868d 1139->1153 1154 a96ac4-a96ac9 1139->1154 1146 a96c2e-a96c30 1142->1146 1147 a96c25-a96c2a CloseHandle 1142->1147 1143->1142 1148 a96a8c 1144->1148 1149 a96aa1-a96aa4 1144->1149 1151 a96c32-a96c33 CloseHandle 1146->1151 1152 a96c35-a96c49 call a93251 * 2 1146->1152 1147->1146 1150 a96a91-a96a9c call ad53e7 1148->1150 1149->1139 1150->1134 1151->1152 1168 a96c4b-a96c4e call a93136 1152->1168 1169 a96c53-a96c57 1152->1169 1162 a96af9-a96b0d call aa8747 1153->1162 1163 a96ae1 1153->1163 1154->1150 1171 a96b0f-a96b14 1162->1171 1172 a96b16-a96b31 call a92a38 1162->1172 1166 a96ae6 1163->1166 1170 a96aeb-a96af4 call ad53e7 1166->1170 1168->1169 1174 a96c59-a96c5c call a93136 1169->1174 1175 a96c61-a96c67 1169->1175 1180 a96bf8 1170->1180 1171->1166 1182 a96b3d-a96b56 call a92a38 1172->1182 1183 a96b33-a96b38 1172->1183 1174->1175 1180->1134 1186 a96b58-a96b5d 1182->1186 1187 a96b62-a96b8e CreateProcessW 1182->1187 1183->1150 1186->1150 1188 a96bcb-a96be1 call ad5c34 1187->1188 1189 a96b90-a96b9a GetLastError 1187->1189 1195 a96be6-a96bea 1188->1195 1191 a96b9c-a96ba5 1189->1191 1192 a96ba7 1189->1192 1191->1192 1193 a96ba9 1192->1193 1194 a96bae-a96bc6 call a913b3 1192->1194 1193->1194 1194->1170 1195->1134 1197 a96bec-a96bf3 call ad53e7 1195->1197 1197->1180
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A94E3A: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00A9114E,?,00000000), ref: 00A94E5B
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00A96C0A
                                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00A96C19
                                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00A96C28
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00A96C33
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • %ls %ls, xrefs: 00A96B1F
                                                                                                                                                                                                  • Failed to allocate parameters for unelevated process., xrefs: 00A96AC4
                                                                                                                                                                                                  • Failed to append original command line., xrefs: 00A96B33
                                                                                                                                                                                                  • burn.filehandle.attached, xrefs: 00A96AE1
                                                                                                                                                                                                  • burn.clean.room, xrefs: 00A96AA8
                                                                                                                                                                                                  • Failed to get path for current process., xrefs: 00A96A4D
                                                                                                                                                                                                  • Failed to append %ls, xrefs: 00A96AE6
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp, xrefs: 00A96BB4
                                                                                                                                                                                                  • Failed to cache to clean room., xrefs: 00A96A8C
                                                                                                                                                                                                  • "%ls" %ls, xrefs: 00A96B44
                                                                                                                                                                                                  • -%ls="%ls", xrefs: 00A96AB0
                                                                                                                                                                                                  • Failed to launch clean room process: %ls, xrefs: 00A96BC1
                                                                                                                                                                                                  • Failed to allocate full command-line., xrefs: 00A96B58
                                                                                                                                                                                                  • D, xrefs: 00A96B73
                                                                                                                                                                                                  • burn.filehandle.self, xrefs: 00A96B0F
                                                                                                                                                                                                  • Failed to wait for clean room process: %ls, xrefs: 00A96BED
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseHandle$FileModuleName
                                                                                                                                                                                                  • String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp
                                                                                                                                                                                                  • API String ID: 3884789274-309622507
                                                                                                                                                                                                  • Opcode ID: cdf08b2ab9771da94923dd870a56a9ff92e3753e0949515a6a161decf7ff831a
                                                                                                                                                                                                  • Instruction ID: a32619efb66ce607c8ab6d4e56c253dece68024153c32d4a51218cae7b43cae3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cdf08b2ab9771da94923dd870a56a9ff92e3753e0949515a6a161decf7ff831a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A718536E40229BBCF11EBA4CD45EDEBBF8AF04750F114616F911BB291DB749A018BA0
                                                                                                                                                                                                  Function 00AA916B Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 290COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1200 aa916b-aa91b0 call ac0ec0 call a99322 1205 aa91bc-aa91cd call a9e107 1200->1205 1206 aa91b2-aa91b7 1200->1206 1211 aa91d9-aa91ea call a9df6e 1205->1211 1212 aa91cf-aa91d4 1205->1212 1207 aa9455-aa945c call ad53e7 1206->1207 1215 aa945d-aa9462 1207->1215 1221 aa91ec-aa91f1 1211->1221 1222 aa91f6-aa920b call a9e1c6 1211->1222 1212->1207 1217 aa946a-aa946e 1215->1217 1218 aa9464-aa9465 call a93136 1215->1218 1219 aa9478-aa947d 1217->1219 1220 aa9470-aa9473 call a93136 1217->1220 1218->1217 1225 aa947f-aa9480 call a93136 1219->1225 1226 aa9485-aa9492 call a9debd 1219->1226 1220->1219 1221->1207 1232 aa920d-aa9212 1222->1232 1233 aa9217-aa9227 call abdb17 1222->1233 1225->1226 1234 aa949c-aa94a0 1226->1234 1235 aa9494-aa9497 call a93136 1226->1235 1232->1207 1241 aa9229-aa922e 1233->1241 1242 aa9233-aa92a6 call aa78e6 1233->1242 1239 aa94aa-aa94ae 1234->1239 1240 aa94a2-aa94a5 call a93136 1234->1240 1235->1234 1244 aa94b8-aa94be 1239->1244 1245 aa94b0-aa94b3 call a951ae 1239->1245 1240->1239 1241->1207 1249 aa92a8-aa92ad 1242->1249 1250 aa92b2-aa92b7 1242->1250 1245->1244 1249->1207 1251 aa92b9 1250->1251 1252 aa92be-aa92d9 call a972c6 GetCurrentProcess call ad5a1f 1250->1252 1251->1252 1256 aa92de-aa92f5 call a99fb1 1252->1256 1259 aa930f-aa9326 call a99fb1 1256->1259 1260 aa92f7 1256->1260 1265 aa9328-aa932d 1259->1265 1266 aa932f-aa9334 1259->1266 1261 aa92fc-aa930a call ad53e7 1260->1261 1261->1215 1265->1261 1268 aa9390-aa9395 1266->1268 1269 aa9336-aa9348 call a99f57 1266->1269 1270 aa9397-aa93a9 call a99f57 1268->1270 1271 aa93b5-aa93be 1268->1271 1279 aa934a-aa934f 1269->1279 1280 aa9354-aa9364 call a94ea9 1269->1280 1270->1271 1282 aa93ab-aa93b0 1270->1282 1274 aa93ca-aa93de call aac20f 1271->1274 1275 aa93c0-aa93c3 1271->1275 1287 aa93e0-aa93e5 1274->1287 1288 aa93e7 1274->1288 1275->1274 1278 aa93c5-aa93c8 1275->1278 1278->1274 1283 aa93ed-aa93f0 1278->1283 1279->1207 1291 aa9370-aa9384 call a99f57 1280->1291 1292 aa9366-aa936b 1280->1292 1282->1207 1289 aa93f2-aa93f5 1283->1289 1290 aa93f7-aa940d call a9f289 1283->1290 1287->1207 1288->1283 1289->1215 1289->1290 1296 aa940f-aa9414 1290->1296 1297 aa9416-aa942e call a9e8bf 1290->1297 1291->1268 1300 aa9386-aa938b 1291->1300 1292->1207 1296->1207 1302 aa9430-aa9435 1297->1302 1303 aa9437-aa944e call a9e5e2 1297->1303 1300->1207 1302->1207 1303->1215 1306 aa9450 1303->1306 1306->1207
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get source process folder from path., xrefs: 00AA9366
                                                                                                                                                                                                  • Failed to load catalog files., xrefs: 00AA9450
                                                                                                                                                                                                  • Failed to set original source variable., xrefs: 00AA93AB
                                                                                                                                                                                                  • Failed to initialize variables., xrefs: 00AA91B2
                                                                                                                                                                                                  • Failed to initialize internal cache functionality., xrefs: 00AA93E0
                                                                                                                                                                                                  • Failed to set source process path variable., xrefs: 00AA934A
                                                                                                                                                                                                  • Failed to parse command line., xrefs: 00AA92A8
                                                                                                                                                                                                  • WixBundleSourceProcessFolder, xrefs: 00AA9375
                                                                                                                                                                                                  • Failed to open attached UX container., xrefs: 00AA91CF
                                                                                                                                                                                                  • WixBundleSourceProcessPath, xrefs: 00AA9339
                                                                                                                                                                                                  • Failed to get manifest stream from container., xrefs: 00AA920D
                                                                                                                                                                                                  • Failed to open manifest stream., xrefs: 00AA91EC
                                                                                                                                                                                                  • Failed to overwrite the %ls built-in variable., xrefs: 00AA92FC
                                                                                                                                                                                                  • Failed to get unique temporary folder for bootstrapper application., xrefs: 00AA940F
                                                                                                                                                                                                  • WixBundleUILevel, xrefs: 00AA9317, 00AA9328
                                                                                                                                                                                                  • WixBundleOriginalSource, xrefs: 00AA939A
                                                                                                                                                                                                  • Failed to load manifest., xrefs: 00AA9229
                                                                                                                                                                                                  • Failed to extract bootstrapper application payloads., xrefs: 00AA9430
                                                                                                                                                                                                  • Failed to set source process folder variable., xrefs: 00AA9386
                                                                                                                                                                                                  • WixBundleElevated, xrefs: 00AA92E6, 00AA92F7
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalInitializeSection
                                                                                                                                                                                                  • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
                                                                                                                                                                                                  • API String ID: 32694325-1564579409
                                                                                                                                                                                                  • Opcode ID: ff8a97d3db0221bfa91730b410bd984d8eb598cf2f514b579e85fca4896546e3
                                                                                                                                                                                                  • Instruction ID: 0e8385c1a3304e6d22cace57c6891bea44950bdaf0a8c77ca720a80e5d9af3e9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ff8a97d3db0221bfa91730b410bd984d8eb598cf2f514b579e85fca4896546e3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3DA16172E4065ABBDF12DAA4CC41EEFB7BCBB05700F14062AF519E7181DB34E94487A0
                                                                                                                                                                                                  Function 00AAA32E Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 208fileCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1412 aaa32e-aaa37c CreateFileW 1413 aaa37e-aaa388 GetLastError 1412->1413 1414 aaa3c2-aaa3d2 call a93fe8 1412->1414 1416 aaa38a-aaa393 1413->1416 1417 aaa395 1413->1417 1421 aaa3ea-aaa3fe call a935c3 1414->1421 1422 aaa3d4-aaa3e5 call ad53e7 1414->1422 1416->1417 1419 aaa39c-aaa3bd call a913b3 call ad53e7 1417->1419 1420 aaa397 1417->1420 1434 aaa566-aaa576 call ac0093 1419->1434 1420->1419 1432 aaa419-aaa41e 1421->1432 1433 aaa400-aaa414 call ad53e7 1421->1433 1431 aaa55f-aaa560 CloseHandle 1422->1431 1431->1434 1432->1431 1436 aaa424-aaa433 SetFilePointerEx 1432->1436 1433->1431 1439 aaa46d-aaa47d call a9450a 1436->1439 1440 aaa435-aaa43f GetLastError 1436->1440 1449 aaa489-aaa49a SetFilePointerEx 1439->1449 1450 aaa47f-aaa484 1439->1450 1441 aaa44c 1440->1441 1442 aaa441-aaa44a 1440->1442 1445 aaa44e 1441->1445 1446 aaa453-aaa468 call a913b3 1441->1446 1442->1441 1445->1446 1452 aaa557-aaa55e call ad53e7 1446->1452 1453 aaa49c-aaa4a6 GetLastError 1449->1453 1454 aaa4d4-aaa4e4 call a9450a 1449->1454 1450->1452 1452->1431 1457 aaa4a8-aaa4b1 1453->1457 1458 aaa4b3 1453->1458 1454->1450 1464 aaa4e6-aaa4f6 call a9450a 1454->1464 1457->1458 1461 aaa4ba-aaa4cf call a913b3 1458->1461 1462 aaa4b5 1458->1462 1461->1452 1462->1461 1464->1450 1468 aaa4f8-aaa509 SetFilePointerEx 1464->1468 1469 aaa50b-aaa515 GetLastError 1468->1469 1470 aaa540-aaa547 call a9450a 1468->1470 1472 aaa522 1469->1472 1473 aaa517-aaa520 1469->1473 1474 aaa54c-aaa550 1470->1474 1475 aaa529-aaa53e call a913b3 1472->1475 1476 aaa524 1472->1476 1473->1472 1474->1431 1477 aaa552 1474->1477 1475->1452 1476->1475 1477->1452
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00A96A86,?,?,00000000,00A96A86,00000000), ref: 00AAA371
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AAA37E
                                                                                                                                                                                                    • Part of subcall function 00A935C3: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00A93659
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(00000000,00ADE4B8,00000000,00000000,00000000,?,00000000,00ADE500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AAA42B
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AAA435
                                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,00000000,00ADE500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AAA560
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • msi.dll, xrefs: 00AAA472
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 00AAA3A2, 00AAA459, 00AAA4C0, 00AAA52F
                                                                                                                                                                                                  • cabinet.dll, xrefs: 00AAA4D9
                                                                                                                                                                                                  • Failed to create engine file at path: %ls, xrefs: 00AAA3AF
                                                                                                                                                                                                  • Failed to seek to beginning of engine file: %ls, xrefs: 00AAA3D7
                                                                                                                                                                                                  • Failed to seek to original data in exe burn section header., xrefs: 00AAA539
                                                                                                                                                                                                  • Failed to seek to checksum in exe header., xrefs: 00AAA463
                                                                                                                                                                                                  • Failed to zero out original data offset., xrefs: 00AAA552
                                                                                                                                                                                                  • Failed to seek to signature table in exe header., xrefs: 00AAA4CA
                                                                                                                                                                                                  • Failed to copy engine from: %ls to: %ls, xrefs: 00AAA406
                                                                                                                                                                                                  • Failed to update signature offset., xrefs: 00AAA47F
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$ErrorLast$CloseCreateHandlePointerRead
                                                                                                                                                                                                  • String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp$cabinet.dll$msi.dll
                                                                                                                                                                                                  • API String ID: 3456208997-1085769834
                                                                                                                                                                                                  • Opcode ID: 38fa9a12ff82ef6e4c02f3c18048f749e51671384a1508b29952f0704a56863d
                                                                                                                                                                                                  • Instruction ID: 6e840ef05ccda237025e67803d3cb6cc9851a21db05543113a3241d33fece066
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 38fa9a12ff82ef6e4c02f3c18048f749e51671384a1508b29952f0704a56863d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A51F572E416327BDB11ABA88D46F7F36E8AB25B10F010615FE01AF2C1E765DC0186E6
                                                                                                                                                                                                  Function 00A99322 Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 430COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1480 a99322-a99c1d InitializeCriticalSection 1481 a99c20-a99c44 call a972e7 1480->1481 1484 a99c51-a99c62 call ad53e7 1481->1484 1485 a99c46-a99c4d 1481->1485 1488 a99c65-a99c75 call ac0093 1484->1488 1485->1481 1486 a99c4f 1485->1486 1486->1488
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • InitializeCriticalSection.KERNEL32(00AA91AC,00A97083,00000000,00A9710B), ref: 00A99342
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalInitializeSection
                                                                                                                                                                                                  • String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
                                                                                                                                                                                                  • API String ID: 32694325-3635313340
                                                                                                                                                                                                  • Opcode ID: d870a98ddfa3f22942d565a1bfeac6b3a8eecf51f06cece48f3d7bb99cb9f0c8
                                                                                                                                                                                                  • Instruction ID: ca7d9346b315b34f2e86278b98b39a2d5e7a5fbe983da9403fe066f0ad021b88
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d870a98ddfa3f22942d565a1bfeac6b3a8eecf51f06cece48f3d7bb99cb9f0c8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 134249B0D156699FDB658F5AC9887CEFAF4BB49304F5081EED50EAA310C7B04B888F45
                                                                                                                                                                                                  Function 00AA9EF0 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 161COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1492 aa9ef0-aa9f42 call ac0ec0 1495 aa9f48-aa9f56 GetCurrentProcess call ad5a1f 1492->1495 1496 aaa0d1-aaa0e3 call a92c72 1492->1496 1499 aa9f5b-aa9f68 1495->1499 1503 aaa0ef-aaa0f1 1496->1503 1504 aaa0e5 1496->1504 1501 aa9ff8-aaa006 GetTempPathW 1499->1501 1502 aa9f6e-aa9f7d GetWindowsDirectoryW 1499->1502 1507 aaa008-aaa012 GetLastError 1501->1507 1508 aaa040-aaa052 UuidCreate 1501->1508 1505 aa9fbf-aa9fd0 call a94df4 1502->1505 1506 aa9f7f-aa9f89 GetLastError 1502->1506 1509 aaa0fa-aaa10a call ac0093 1503->1509 1510 aaa0f3-aaa0f8 1503->1510 1504->1503 1533 aa9fd9-aa9fef call a91225 1505->1533 1534 aa9fd2-aa9fd7 1505->1534 1512 aa9f8b-aa9f94 1506->1512 1513 aa9f96 1506->1513 1514 aaa01f 1507->1514 1515 aaa014-aaa01d 1507->1515 1517 aaa05e-aaa073 StringFromGUID2 1508->1517 1518 aaa054-aaa059 1508->1518 1510->1509 1512->1513 1520 aa9f98 1513->1520 1521 aa9f9d-aa9fad call a913b3 1513->1521 1522 aaa021 1514->1522 1523 aaa026-aaa03b call a913b3 1514->1523 1515->1514 1526 aaa094-aaa0b5 call a929f6 1517->1526 1527 aaa075-aaa08f call a913b3 1517->1527 1525 aa9fb2-aa9fba call ad53e7 1518->1525 1520->1521 1521->1525 1522->1523 1523->1525 1525->1509 1542 aaa0c1-aaa0cc 1526->1542 1543 aaa0b7 1526->1543 1527->1525 1533->1508 1544 aa9ff1-aa9ff6 1533->1544 1534->1525 1542->1496 1543->1542 1544->1525
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AA9F4F
                                                                                                                                                                                                    • Part of subcall function 00AD5A1F: OpenProcessToken.ADVAPI32(?,00000008,?,00A97083,00000000,?,?,?,?,?,?,?,00AA92DE,00000000), ref: 00AD5A3D
                                                                                                                                                                                                    • Part of subcall function 00AD5A1F: GetLastError.KERNEL32(?,?,?,?,?,?,?,00AA92DE,00000000), ref: 00AD5A47
                                                                                                                                                                                                    • Part of subcall function 00AD5A1F: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00AA92DE,00000000), ref: 00AD5AD1
                                                                                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00AA9F75
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AA9F7F
                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?,00000000), ref: 00AA9FFE
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AAA008
                                                                                                                                                                                                  • UuidCreate.RPCRT4(?), ref: 00AAA047
                                                                                                                                                                                                  • StringFromGUID2.OLE32(?,?,00000027), ref: 00AAA06B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 00AA9FA3, 00AAA02C, 00AAA080
                                                                                                                                                                                                  • Failed to copy working folder path., xrefs: 00AAA0E5
                                                                                                                                                                                                  • Temp\, xrefs: 00AA9FD9
                                                                                                                                                                                                  • Failed to ensure windows path for working folder ended in backslash., xrefs: 00AA9FD2
                                                                                                                                                                                                  • %ls%ls\, xrefs: 00AAA09F
                                                                                                                                                                                                  • Failed to create working folder guid., xrefs: 00AAA054
                                                                                                                                                                                                  • Failed to get windows path for working folder., xrefs: 00AA9FAD
                                                                                                                                                                                                  • Failed to convert working folder guid into string., xrefs: 00AAA08A
                                                                                                                                                                                                  • Failed to append bundle id on to temp path for working folder., xrefs: 00AAA0B7
                                                                                                                                                                                                  • Failed to get temp path for working folder., xrefs: 00AAA036
                                                                                                                                                                                                  • Failed to concat Temp directory on windows path for working folder., xrefs: 00AA9FF1
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$Process$CloseCreateCurrentDirectoryFromHandleOpenPathStringTempTokenUuidWindows
                                                                                                                                                                                                  • String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp
                                                                                                                                                                                                  • API String ID: 2129574491-2527715341
                                                                                                                                                                                                  • Opcode ID: 1330058c100ae65ac66469010b91a6cad4c98db5be3363b97c6fa272ce2b6964
                                                                                                                                                                                                  • Instruction ID: b290b1d60f43d4ea2c42153951ba4204ca72ba344b062cfb29f85666ad22c081
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1330058c100ae65ac66469010b91a6cad4c98db5be3363b97c6fa272ce2b6964
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1651B232A41365AFDB20EBE5CD49FAF77B8AB21710F004556F906FB2C0E7749D408A92
                                                                                                                                                                                                  Function 00AB2CCA Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 216COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1545 ab2cca-ab2cf6 CoInitializeEx 1546 ab2d0a-ab2d55 call ad463a 1545->1546 1547 ab2cf8-ab2d05 call ad53e7 1545->1547 1553 ab2d7f-ab2da1 call ad465b 1546->1553 1554 ab2d57-ab2d7a call a913b3 call ad53e7 1546->1554 1552 ab2f6d-ab2f7d call ac0093 1547->1552 1562 ab2e5b-ab2e66 SetEvent 1553->1562 1563 ab2da7-ab2daf 1553->1563 1573 ab2f66-ab2f67 CoUninitialize 1554->1573 1564 ab2e68-ab2e72 GetLastError 1562->1564 1565 ab2ea5-ab2eb3 WaitForSingleObject 1562->1565 1567 ab2f5e-ab2f61 call ad466b 1563->1567 1568 ab2db5-ab2dbb 1563->1568 1571 ab2e7f 1564->1571 1572 ab2e74-ab2e7d 1564->1572 1569 ab2ee7-ab2ef2 ResetEvent 1565->1569 1570 ab2eb5-ab2ebf GetLastError 1565->1570 1567->1573 1568->1567 1575 ab2dc1-ab2dc9 1568->1575 1578 ab2f29-ab2f2f 1569->1578 1579 ab2ef4-ab2efe GetLastError 1569->1579 1576 ab2ecc 1570->1576 1577 ab2ec1-ab2eca 1570->1577 1580 ab2e83-ab2e93 call a913b3 1571->1580 1581 ab2e81 1571->1581 1572->1571 1573->1552 1582 ab2dcb-ab2dcd 1575->1582 1583 ab2e43-ab2e56 call ad53e7 1575->1583 1587 ab2ece 1576->1587 1588 ab2ed0-ab2ee5 call a913b3 1576->1588 1577->1576 1584 ab2f59 1578->1584 1585 ab2f31-ab2f34 1578->1585 1589 ab2f0b 1579->1589 1590 ab2f00-ab2f09 1579->1590 1620 ab2e98-ab2ea0 call ad53e7 1580->1620 1581->1580 1592 ab2dcf 1582->1592 1593 ab2de0-ab2de3 1582->1593 1583->1567 1584->1567 1596 ab2f36-ab2f50 call a913b3 1585->1596 1597 ab2f55-ab2f57 1585->1597 1587->1588 1588->1620 1602 ab2f0f-ab2f24 call a913b3 1589->1602 1603 ab2f0d 1589->1603 1590->1589 1594 ab2dd1-ab2dd3 1592->1594 1595 ab2dd5-ab2dde 1592->1595 1598 ab2e3d 1593->1598 1599 ab2de5 1593->1599 1605 ab2e3f-ab2e41 1594->1605 1595->1605 1596->1620 1597->1567 1598->1605 1607 ab2e2b-ab2e30 1599->1607 1608 ab2dfa-ab2dff 1599->1608 1609 ab2e39-ab2e3b 1599->1609 1610 ab2e08-ab2e0d 1599->1610 1611 ab2e0f-ab2e14 1599->1611 1612 ab2e1d-ab2e22 1599->1612 1613 ab2dec-ab2df1 1599->1613 1614 ab2df3-ab2df8 1599->1614 1615 ab2e32-ab2e37 1599->1615 1616 ab2e01-ab2e06 1599->1616 1617 ab2e16-ab2e1b 1599->1617 1618 ab2e24-ab2e29 1599->1618 1602->1620 1603->1602 1605->1562 1605->1583 1607->1583 1608->1583 1609->1583 1610->1583 1611->1583 1612->1583 1613->1583 1614->1583 1615->1583 1616->1583 1617->1583 1618->1583 1620->1567
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CoInitializeEx.OLE32(00000000,00000000), ref: 00AB2CEC
                                                                                                                                                                                                  • CoUninitialize.COMBASE ref: 00AB2F67
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to set operation complete event., xrefs: 00AB2E93
                                                                                                                                                                                                  • Failed to initialize COM., xrefs: 00AB2CF8
                                                                                                                                                                                                  • Failed to extract all files from container, erf: %d:%X:%d, xrefs: 00AB2E48
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00AB2D62, 00AB2E89, 00AB2ED6, 00AB2F15, 00AB2F41
                                                                                                                                                                                                  • <the>.cab, xrefs: 00AB2D8C
                                                                                                                                                                                                  • Failed to wait for begin operation event., xrefs: 00AB2EE0
                                                                                                                                                                                                  • Failed to initialize cabinet.dll., xrefs: 00AB2D6E
                                                                                                                                                                                                  • Invalid operation for this state., xrefs: 00AB2F4B
                                                                                                                                                                                                  • Failed to reset begin operation event., xrefs: 00AB2F1F
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: InitializeUninitialize
                                                                                                                                                                                                  • String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 3442037557-1413192050
                                                                                                                                                                                                  • Opcode ID: a252eb19915ee4423cf9e7149408ceed370b30829bed332182633b743d89e829
                                                                                                                                                                                                  • Instruction ID: 8eb9301dda8248e91799e25a223e2b1eb423205015868c9a43ba3975a71e870b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a252eb19915ee4423cf9e7149408ceed370b30829bed332182633b743d89e829
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 44513C36E84172B7D72097668D45FFA3B7CAB40B20B250717BD12BF292D564CD0187D6
                                                                                                                                                                                                  Function 00A95FAF Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 157stringCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1626 a95faf-a96006 InitializeCriticalSection * 2 call aa69c1 * 2 1631 a9612a-a96134 call a9d197 1626->1631 1632 a9600c 1626->1632 1637 a96139-a9613d 1631->1637 1633 a96012-a9601f 1632->1633 1635 a9611d-a96124 1633->1635 1636 a96025-a96051 lstrlenW * 2 CompareStringW 1633->1636 1635->1631 1635->1633 1638 a960a3-a960cf lstrlenW * 2 CompareStringW 1636->1638 1639 a96053-a96076 lstrlenW 1636->1639 1640 a9614c-a96152 1637->1640 1641 a9613f-a9614b call ad53e7 1637->1641 1638->1635 1643 a960d1-a960f4 lstrlenW 1638->1643 1644 a9607c-a96081 1639->1644 1645 a96160-a96175 call a913b3 1639->1645 1641->1640 1649 a960fa-a960ff 1643->1649 1650 a9618c-a961a6 call a913b3 1643->1650 1644->1645 1646 a96087-a96097 call a93493 1644->1646 1656 a9617a-a96181 1645->1656 1659 a9609d 1646->1659 1660 a96155-a9615e 1646->1660 1649->1650 1653 a96105-a96115 call a93493 1649->1653 1650->1656 1653->1660 1664 a96117 1653->1664 1661 a96182-a9618a call ad53e7 1656->1661 1659->1638 1660->1661 1661->1640 1664->1635
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00A96F2C,?,?,00000000,?,?), ref: 00A95FDB
                                                                                                                                                                                                  • InitializeCriticalSection.KERNEL32(000000D0,?,?,00A96F2C,?,?,00000000,?,?), ref: 00A95FE4
                                                                                                                                                                                                  • lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00A96F2C,?,?,00000000,?,?), ref: 00A9602A
                                                                                                                                                                                                  • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00A96F2C,?,?,00000000,?,?), ref: 00A96034
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00A96F2C,?,?,00000000,?,?), ref: 00A96048
                                                                                                                                                                                                  • lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00A96F2C,?,?,00000000,?,?), ref: 00A96058
                                                                                                                                                                                                  • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00A96F2C,?,?,00000000,?,?), ref: 00A960A8
                                                                                                                                                                                                  • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00A96F2C,?,?,00000000,?,?), ref: 00A960B2
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00A96F2C,?,?,00000000,?,?), ref: 00A960C6
                                                                                                                                                                                                  • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00A96F2C,?,?,00000000,?,?), ref: 00A960D6
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: lstrlen$CompareCriticalInitializeSectionString
                                                                                                                                                                                                  • String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp
                                                                                                                                                                                                  • API String ID: 3039292287-4012780215
                                                                                                                                                                                                  • Opcode ID: ca74faab37a0d13c4723c30e29a0bdd75c4fd8ef7aa48eab288409e6f54bb83d
                                                                                                                                                                                                  • Instruction ID: 57e82f5b13a894059cc9e7b0dabf42a3fd149f57a9801cc4d74599c4811e6c1c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ca74faab37a0d13c4723c30e29a0bdd75c4fd8ef7aa48eab288409e6f54bb83d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7551C371B40216BFCB20EB68DC86F9A77A8FF01750F500616F616DB291DBB0A910CBA0
                                                                                                                                                                                                  Function 00A9DF8F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131fileCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1666 a9df8f-a9dfc1 1667 a9e02b-a9e047 GetCurrentProcess * 2 DuplicateHandle 1666->1667 1668 a9dfc3-a9dfe1 CreateFileW 1666->1668 1671 a9e049-a9e053 GetLastError 1667->1671 1672 a9e081 1667->1672 1669 a9e083-a9e089 1668->1669 1670 a9dfe7-a9dff1 GetLastError 1668->1670 1675 a9e08b-a9e091 1669->1675 1676 a9e093 1669->1676 1673 a9dffe 1670->1673 1674 a9dff3-a9dffc 1670->1674 1677 a9e060 1671->1677 1678 a9e055-a9e05e 1671->1678 1672->1669 1681 a9e000 1673->1681 1682 a9e005-a9e018 call a913b3 1673->1682 1674->1673 1683 a9e095-a9e0a3 SetFilePointerEx 1675->1683 1676->1683 1679 a9e062 1677->1679 1680 a9e067-a9e07f call a913b3 1677->1680 1678->1677 1679->1680 1695 a9e01d-a9e026 call ad53e7 1680->1695 1681->1682 1682->1695 1686 a9e0da-a9e0e0 1683->1686 1687 a9e0a5-a9e0af GetLastError 1683->1687 1688 a9e0fe-a9e104 1686->1688 1689 a9e0e2-a9e0e6 call ab330d 1686->1689 1692 a9e0bc 1687->1692 1693 a9e0b1-a9e0ba 1687->1693 1698 a9e0eb-a9e0ef 1689->1698 1696 a9e0be 1692->1696 1697 a9e0c3-a9e0d8 call a913b3 1692->1697 1693->1692 1695->1688 1696->1697 1704 a9e0f6-a9e0fd call ad53e7 1697->1704 1698->1688 1702 a9e0f1 1698->1702 1702->1704 1704->1688
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,00A9E17F,00A970CB,?,?,00A9710B), ref: 00A9DFD6
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A9E17F,00A970CB,?,?,00A9710B,00A9710B,00000000,?,00000000), ref: 00A9DFE7
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,00A9E17F,00A970CB,?,?,00A9710B,00A9710B,00000000,?), ref: 00A9E036
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(000000FF,00000000,?,00A9E17F,00A970CB,?,?,00A9710B,00A9710B,00000000,?,00000000), ref: 00A9E03C
                                                                                                                                                                                                  • DuplicateHandle.KERNELBASE(00000000,?,00A9E17F,00A970CB,?,?,00A9710B,00A9710B,00000000,?,00000000), ref: 00A9E03F
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A9E17F,00A970CB,?,?,00A9710B,00A9710B,00000000,?,00000000), ref: 00A9E049
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00A9E17F,00A970CB,?,?,00A9710B,00A9710B,00000000,?,00000000), ref: 00A9E09B
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A9E17F,00A970CB,?,?,00A9710B,00A9710B,00000000,?,00000000), ref: 00A9E0A5
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
                                                                                                                                                                                                  • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$c:\agent\_work\36\s\wix\src\burn\engine\container.cpp$crypt32.dll$feclient.dll
                                                                                                                                                                                                  • API String ID: 2619879409-4081371799
                                                                                                                                                                                                  • Opcode ID: 85fc12fa4d500d8e5798818bcddd1b9b67ee70a6be4386622790e784a0a7c264
                                                                                                                                                                                                  • Instruction ID: 5892caf67095f4d261a59a93c3a73d494ef785e1bbf486b04227b649c6e5d1b4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 85fc12fa4d500d8e5798818bcddd1b9b67ee70a6be4386622790e784a0a7c264
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0741C336380251ABDF20DF19DD89F177BF9ABC4720F254519F9159F282EAB2DC018B61
                                                                                                                                                                                                  Function 00AD715D Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 78libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A913CA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00A91409
                                                                                                                                                                                                    • Part of subcall function 00A913CA: GetLastError.KERNEL32(?,?), ref: 00A91413
                                                                                                                                                                                                    • Part of subcall function 00A94143: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00A94174
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00AD71A7
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00AD71C7
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00AD71E7
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00AD7207
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00AD7227
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00AD7247
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00AD7267
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressProc$ErrorLast$DirectorySystem
                                                                                                                                                                                                  • String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
                                                                                                                                                                                                  • API String ID: 2510051996-1735120554
                                                                                                                                                                                                  • Opcode ID: aa91af7e4e047dbad7af5d92c3138e3354b5d64062a73ac80e75d5e57afabc38
                                                                                                                                                                                                  • Instruction ID: a7f6e19d16b0ffb9e6562b6b86752e544d28a70068c6910fc3213e3b22c201ca
                                                                                                                                                                                                  • Opcode Fuzzy Hash: aa91af7e4e047dbad7af5d92c3138e3354b5d64062a73ac80e75d5e57afabc38
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A031CFB1A44209AEDB11EFE1ED12BB9FAA0FB11704F00053BE204962B4E7721883DF84
                                                                                                                                                                                                  Function 00AB330D Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,00A9E0EB,?,00000000,?,00A9E17F), ref: 00AB3344
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A9E0EB,?,00000000,?,00A9E17F,00A970CB,?,?,00A9710B,00A9710B,00000000,?,00000000), ref: 00AB334D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to copy file name., xrefs: 00AB332F
                                                                                                                                                                                                  • Failed to create extraction thread., xrefs: 00AB340D
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00AB3371, 00AB33B7, 00AB3403
                                                                                                                                                                                                  • Failed to wait for operation complete., xrefs: 00AB3420
                                                                                                                                                                                                  • Failed to create begin operation event., xrefs: 00AB337B
                                                                                                                                                                                                  • wininet.dll, xrefs: 00AB3323
                                                                                                                                                                                                  • Failed to create operation complete event., xrefs: 00AB33C1
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateErrorEventLast
                                                                                                                                                                                                  • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp$wininet.dll
                                                                                                                                                                                                  • API String ID: 545576003-498445066
                                                                                                                                                                                                  • Opcode ID: 2d71d5d5fd485e476abe3132aeefe7563b0a43860907e4d25ede5cec415707b1
                                                                                                                                                                                                  • Instruction ID: a0a14b815f5dbab8bb7fe8367ef3c22c441e195728d36edf27f897b6593463d6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2d71d5d5fd485e476abe3132aeefe7563b0a43860907e4d25ede5cec415707b1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB21FC77EC173677EA2196698D45FAB69ECBF007A0F014616BD41BF282EA60DD0045F1
                                                                                                                                                                                                  Function 00AD4E59 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 00AD4E81
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(SystemFunction041), ref: 00AD4E93
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 00AD4ED6
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00AD4EEA
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 00AD4F22
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00AD4F36
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressProc$ErrorLast
                                                                                                                                                                                                  • String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$c:\agent\_work\36\s\wix\src\libs\dutil\cryputil.cpp
                                                                                                                                                                                                  • API String ID: 4214558900-626015102
                                                                                                                                                                                                  • Opcode ID: edfd9d778234663ed0692fe72bb75d528d461494fccc88ecc4e9e2de351cca53
                                                                                                                                                                                                  • Instruction ID: bca9b755db918a2505bb3cecd0a8d1c9c08c71d28ff79c481539646bb34512ba
                                                                                                                                                                                                  • Opcode Fuzzy Hash: edfd9d778234663ed0692fe72bb75d528d461494fccc88ecc4e9e2de351cca53
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E213132941326BBD721E7D5DD49766BAE0AF58B50F010536FD06BA360E7719C02DA90
                                                                                                                                                                                                  Function 00AB249B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 105fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 00AB24CB
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00AB24E3
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 00AB24E8
                                                                                                                                                                                                  • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00AB24EB
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?), ref: 00AB24F5
                                                                                                                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 00AB2564
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?), ref: 00AB2571
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to duplicate handle to cab container., xrefs: 00AB2523
                                                                                                                                                                                                  • Failed to open cabinet file: %hs, xrefs: 00AB25A2
                                                                                                                                                                                                  • Failed to add virtual file pointer for cab container., xrefs: 00AB254A
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00AB2519, 00AB2595
                                                                                                                                                                                                  • <the>.cab, xrefs: 00AB24C4
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
                                                                                                                                                                                                  • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 3030546534-2422751550
                                                                                                                                                                                                  • Opcode ID: 1a5a056fe325fa4b16c054dc8891de83e66029136080e250cea0d39036b72bc4
                                                                                                                                                                                                  • Instruction ID: 117463a78ea30c2990f073cbc8fc366bca8e25674e6f0eb8ec41c756c773021a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a5a056fe325fa4b16c054dc8891de83e66029136080e250cea0d39036b72bc4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0831E132A41535BBDB31AB958D48FDA7BACFF04760F010612F901AB291D665AD0187E0
                                                                                                                                                                                                  Function 00AA868D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 68COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,00A96ADB,?,?), ref: 00AA86AD
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,?,00A96ADB,?,?), ref: 00AA86B3
                                                                                                                                                                                                  • DuplicateHandle.KERNELBASE(00000000,?,?,00A96ADB,?,?), ref: 00AA86B6
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00A96ADB,?,?), ref: 00AA86C0
                                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,?,00A96ADB,?,?), ref: 00AA8739
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • burn.filehandle.attached, xrefs: 00AA8706
                                                                                                                                                                                                  • %ls -%ls=%u, xrefs: 00AA870D
                                                                                                                                                                                                  • Failed to duplicate file handle for attached container., xrefs: 00AA86EE
                                                                                                                                                                                                  • Failed to append the file handle to the command line., xrefs: 00AA8721
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\core.cpp, xrefs: 00AA86E4
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CurrentHandleProcess$CloseDuplicateErrorLast
                                                                                                                                                                                                  • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$c:\agent\_work\36\s\wix\src\burn\engine\core.cpp
                                                                                                                                                                                                  • API String ID: 4224961946-423936899
                                                                                                                                                                                                  • Opcode ID: 47c36f15f23aae02fcde8c9262ac06ad9f5eada5b1f2207e4057d0c1a23ad0bf
                                                                                                                                                                                                  • Instruction ID: e1530a4821caa0b54154ffaadf0207cdb3eb3083d2040c6d760a8f689d820aee
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47c36f15f23aae02fcde8c9262ac06ad9f5eada5b1f2207e4057d0c1a23ad0bf
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2118732E41225B7DB10EBA99D45E9E7BA8AF15770F200712F911FB1D0DB78DE018690
                                                                                                                                                                                                  Function 00AD5A1F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(?,00000008,?,00A97083,00000000,?,?,?,?,?,?,?,00AA92DE,00000000), ref: 00AD5A3D
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00AA92DE,00000000), ref: 00AD5A47
                                                                                                                                                                                                  • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,00AA92DE,00000000), ref: 00AD5A79
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00AA92DE,00000000), ref: 00AD5A92
                                                                                                                                                                                                  • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00AA92DE,00000000), ref: 00AD5AD1
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\procutil.cpp, xrefs: 00AD5ABF
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastToken$CloseHandleInformationOpenProcess
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\procutil.cpp
                                                                                                                                                                                                  • API String ID: 4040495316-3104418550
                                                                                                                                                                                                  • Opcode ID: b941b76793cdae3bf1e32530217dff780ee4497b2531ca925b215f3e8d19ae43
                                                                                                                                                                                                  • Instruction ID: 6e949db9cefd3ab12bf5767237f9b9e9c1b9c3d0e8c800d34365a065b1ac420e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b941b76793cdae3bf1e32530217dff780ee4497b2531ca925b215f3e8d19ae43
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EA21DA76D41535EBC720DBA4888CAADBBB8AF10750F054253AD06BB360D2708E00DAD0
                                                                                                                                                                                                  Function 00AA8747 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 00AA877B
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00AA87EB
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCreateFileHandle
                                                                                                                                                                                                  • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
                                                                                                                                                                                                  • API String ID: 3498533004-3263533295
                                                                                                                                                                                                  • Opcode ID: def4db8b257a9bea19e2ec387bc43953087cbee48ac25c653829647f6da9c7cc
                                                                                                                                                                                                  • Instruction ID: 2aa5835e41ed853901c8d9bbfb1e89c5dd5e54792b1ecae3485d8c228b0c5fc4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: def4db8b257a9bea19e2ec387bc43953087cbee48ac25c653829647f6da9c7cc
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1111C831A413657BCB21AB59CC46F5B3BA8BB42B70F210311FC25BB2D1DBB889118790
                                                                                                                                                                                                  Function 00A94143 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 98memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00A94174
                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00A941A1
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00A941CD
                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00ADE564,?,00000000,?,00000000,?,00000000), ref: 00A9420B
                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00A9423C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$Global$AllocFree
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                                                                                                                                                                                  • API String ID: 1145190524-1339450348
                                                                                                                                                                                                  • Opcode ID: 0adfdcf2f2f6f00101c2600e70122a6f23c39c6d3916a1774c7b61efd16b15e1
                                                                                                                                                                                                  • Instruction ID: 15770c422039d389277d0e97964937fa860dcc0eaacca88b95b2ee23b69778c8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0adfdcf2f2f6f00101c2600e70122a6f23c39c6d3916a1774c7b61efd16b15e1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E315036A40235AB8B21DB998D41EAFBAF8EB58750F214366FD04EB241E6309D4286D1
                                                                                                                                                                                                  Function 00AB2656 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00AB26FC
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?), ref: 00AB2706
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00AB272A
                                                                                                                                                                                                  • Invalid seek type., xrefs: 00AB2692
                                                                                                                                                                                                  • Failed to move file pointer 0x%x bytes., xrefs: 00AB2737
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastPointer
                                                                                                                                                                                                  • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 2976181284-2134847726
                                                                                                                                                                                                  • Opcode ID: 6bfd7d502a05dc338e44d36056c610d477ac5c384788ad6683ff69fb8a82117c
                                                                                                                                                                                                  • Instruction ID: 4b9a7c4c2f1b84192b67fd32b5c80b4c41dd531bc497714453f38305063cd2f5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6bfd7d502a05dc338e44d36056c610d477ac5c384788ad6683ff69fb8a82117c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9731B036A0011AFFCB04DFA8CD85EA9B7B8FF04354B008216F915DB651EB70ED108B90
                                                                                                                                                                                                  Function 00A91B27 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(00000000,00A97083,00000000,00000000,?,00AABDBF,00000000,00000000,?,00000000,840F01E8,00A97083,00000000,00A9714F,840F01E8), ref: 00A91B35
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AABDBF,00000000,00000000,?,00000000,840F01E8,00A97083,00000000,00A9714F,840F01E8), ref: 00A91B43
                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,00A97083,00000000,?,00AABDBF,00000000,00000000,?,00000000,840F01E8,00A97083,00000000,00A9714F,840F01E8), ref: 00A91BB3
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AABDBF,00000000,00000000,?,00000000,840F01E8,00A97083,00000000,00A9714F,840F01E8), ref: 00A91BBD
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\dirutil.cpp, xrefs: 00A91BED
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\dirutil.cpp
                                                                                                                                                                                                  • API String ID: 1375471231-3208742346
                                                                                                                                                                                                  • Opcode ID: 675e41c6cbdfbe49ee0aace4c89736864b49aae674e5cc6184ae12ee4a8aa09e
                                                                                                                                                                                                  • Instruction ID: ba82ad34149eb3a81a2a6bd7eb53fabdcabf4da8ab690f6b24d02906dbee6c66
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 675e41c6cbdfbe49ee0aace4c89736864b49aae674e5cc6184ae12ee4a8aa09e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A521C03BB40273A7DF216BA58C44B7BB6E6EF65BA0F114166FD05EF250F6248C0192D1
                                                                                                                                                                                                  Function 00AD5C34 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,00A96BE6,?,000000FF,?,?,?,?,?,00000000,?,?,?), ref: 00AD5C40
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A96BE6,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00AD5C4E
                                                                                                                                                                                                  • GetExitCodeProcess.KERNELBASE(000000FF,?), ref: 00AD5C93
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A96BE6,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00AD5C9D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\procutil.cpp, xrefs: 00AD5C72
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$CodeExitObjectProcessSingleWait
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\procutil.cpp
                                                                                                                                                                                                  • API String ID: 590199018-3104418550
                                                                                                                                                                                                  • Opcode ID: 6a4b10f356b3e765d49d45226ba800ce61f1ad958fcd17a154973b1ac7ae29c7
                                                                                                                                                                                                  • Instruction ID: 80e7b06f570faaeb04c93e237bc8f7358b38ac4cf9f5e3db6573175ddb0c08bd
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a4b10f356b3e765d49d45226ba800ce61f1ad958fcd17a154973b1ac7ae29c7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90016137E51B35A7CB219BB58D486AA7B64AF15761F128213FD56AF390D2308C0086D5
                                                                                                                                                                                                  Function 00AD7BBC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00AD7BCB
                                                                                                                                                                                                  • CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,00AFF7E4,00000001,00000000,00A96FB9,?,?,?,?,?,?), ref: 00AD7C03
                                                                                                                                                                                                  • CLSIDFromProgID.OLE32(MSXML.DOMDocument,00AFF7E4,?,?,?,?,?,?), ref: 00AD7C0F
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FromProg$Initialize
                                                                                                                                                                                                  • String ID: MSXML.DOMDocument$Msxml2.DOMDocument
                                                                                                                                                                                                  • API String ID: 4047641309-2356320334
                                                                                                                                                                                                  • Opcode ID: f02772b15152487cfc241fb1e4ce4725be299054f5d247513c7594feb969c21c
                                                                                                                                                                                                  • Instruction ID: 8230d5057036da64955ab9ec18be324e89c9f0b854b68d965ace0946ab987e8d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f02772b15152487cfc241fb1e4ce4725be299054f5d247513c7594feb969c21c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10F0A7247482365FD314ABEAAC04F6ABA94DB91B64F600837ED17D7250F2509CC3CAE0
                                                                                                                                                                                                  Function 00AB25C1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00AB2FDB: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00AB25F0,?,?,?), ref: 00AB3003
                                                                                                                                                                                                    • Part of subcall function 00AB2FDB: GetLastError.KERNEL32(?,00AB25F0,?,?,?), ref: 00AB300D
                                                                                                                                                                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 00AB25FE
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AB2608
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00AB262C
                                                                                                                                                                                                  • Failed to read during cabinet extraction., xrefs: 00AB2636
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLast$PointerRead
                                                                                                                                                                                                  • String ID: Failed to read during cabinet extraction.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 2170121939-1889023893
                                                                                                                                                                                                  • Opcode ID: 3077914dd2d19782f446e2c1305c6251614a8c16c23632513aa6d46eed2fc720
                                                                                                                                                                                                  • Instruction ID: c9fb843a82e55110732247d4ba2c54deae6639ba91ee50da69622b465c99dfea
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3077914dd2d19782f446e2c1305c6251614a8c16c23632513aa6d46eed2fc720
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B01C832A41165BBCB11DFA5DD05E9A7FA8FF04760F010116FD05AB251D730D911CBD0
                                                                                                                                                                                                  Function 00AB2FDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00AB25F0,?,?,?), ref: 00AB3003
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AB25F0,?,?,?), ref: 00AB300D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00AB3031
                                                                                                                                                                                                  • Failed to move to virtual file pointer., xrefs: 00AB303B
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastPointer
                                                                                                                                                                                                  • String ID: Failed to move to virtual file pointer.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 2976181284-1638580159
                                                                                                                                                                                                  • Opcode ID: ca12155cc5b0e7d022f79581f7a4da0c40cbb4afa9ebe571afa21558a6f192f8
                                                                                                                                                                                                  • Instruction ID: e37b47588d1771149707155788e73198f011f0597d8c6cba42bc7725fa20d76b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ca12155cc5b0e7d022f79581f7a4da0c40cbb4afa9ebe571afa21558a6f192f8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B018437A4163677CB21AA96DC05A87FB68AF007B0B118226FD195A111DB259D1086D0
                                                                                                                                                                                                  Function 00A935C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00A93659
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A936BC
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 00A936E0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastRead
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                                                                                                                                                                                  • API String ID: 1948546556-1339450348
                                                                                                                                                                                                  • Opcode ID: 8bffb7abf7871cc242f2a1030dd494ab8d07f10849b5022efc4cde25b970b676
                                                                                                                                                                                                  • Instruction ID: 5f8a4a5b9604c483c3ab2bc9ae0672083b6d3639ef74bc0ee74021e6c1260cf4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8bffb7abf7871cc242f2a1030dd494ab8d07f10849b5022efc4cde25b970b676
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8317072B00269ABDF21DF54CC50BDB77F4AB08751F0141AAEA49EB340D6B4DEC48E91
                                                                                                                                                                                                  Function 00A96DE9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00A91175,?,?,00000000), ref: 00A96E08
                                                                                                                                                                                                  • CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00A91175,?,?,00000000), ref: 00A96E38
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareStringlstrlen
                                                                                                                                                                                                  • String ID: burn.clean.room
                                                                                                                                                                                                  • API String ID: 1433953587-3055529264
                                                                                                                                                                                                  • Opcode ID: f0e6d8c39be8782a7f2b345b39a3392ec350d52c5d141e990e9adc2c60185ed1
                                                                                                                                                                                                  • Instruction ID: c58e2ff7cf573661740d101ec1b0b9908c07e182f434c99c19899f896b57a3b8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f0e6d8c39be8782a7f2b345b39a3392ec350d52c5d141e990e9adc2c60185ed1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B0186797002256AAB20CBD8DC88D73BBEDEB19BD07508116F506D7620C3309C52D7A0
                                                                                                                                                                                                  Function 00A9450A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,00A93680,?,?,?), ref: 00A9452E
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00A93680,?,?,?), ref: 00A94538
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 00A94561
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                                                                                                                                                                                  • API String ID: 442123175-1339450348
                                                                                                                                                                                                  • Opcode ID: 88146197b1dad27c7c64ddc69f24de77ce8799a3575509d1e40972520238951d
                                                                                                                                                                                                  • Instruction ID: 2490815b2c916bab00438794efc38f8fe1afbaf5515880c29f1c16fdee590a2f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 88146197b1dad27c7c64ddc69f24de77ce8799a3575509d1e40972520238951d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0DF06D33B41129ABCB11DADDCD45E9FBBA9AB58751B020212B901EB140D630EE0186E0
                                                                                                                                                                                                  Function 00A91070 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00A910DA
                                                                                                                                                                                                    • Part of subcall function 00A91C00: GetFileAttributesW.KERNELBASE(?,00000000,?,00A9109F,?,00000000), ref: 00A91C09
                                                                                                                                                                                                    • Part of subcall function 00A93B2C: FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 00A93B67
                                                                                                                                                                                                    • Part of subcall function 00A93B2C: FindClose.KERNEL32(00000000,?,00000000), ref: 00A93B73
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileFind$AttributesCloseExitFirstProcess
                                                                                                                                                                                                  • String ID: %ls.local$Comctl32.dll
                                                                                                                                                                                                  • API String ID: 3456499317-3877841543
                                                                                                                                                                                                  • Opcode ID: 810960c3c1b5d526d490a3badf76cd16cee3ef87e51b2a15a842f7bd9b52832f
                                                                                                                                                                                                  • Instruction ID: e910b9e73e056503b959fb74a741b5eaf847c79e6eaa76de7bc93b0a01f76dd9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 810960c3c1b5d526d490a3badf76cd16cee3ef87e51b2a15a842f7bd9b52832f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B1F04F71A0121AFADF20EB96CE0AEDF7EF8EF10398F100161B805A1021F7719B50D6A1
                                                                                                                                                                                                  Function 00A93FE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00AAA3CE,00000000,00000000,00000000,00000000,00000000), ref: 00A94000
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00AAA3CE,00000000,00000000,00000000,00000000,00000000), ref: 00A9400A
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 00A9402E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastPointer
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                                                                                                                                                                                  • API String ID: 2976181284-1339450348
                                                                                                                                                                                                  • Opcode ID: 5aa1ec5a26729ef734f95310254fda2b12042646216ef04cab925f2e0b80afcb
                                                                                                                                                                                                  • Instruction ID: 4ed29630a6de21d5fd352f8a68fa0296e090763007e9472d047c3fe1c909de4e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5aa1ec5a26729ef734f95310254fda2b12042646216ef04cab925f2e0b80afcb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 73F08176700129BBDF10DF84DD09D9A7FE8EF08750B024115BE05AB250E635DD11DBA0
                                                                                                                                                                                                  Function 00A913CA Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00A91409
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?), ref: 00A91413
                                                                                                                                                                                                  • LoadLibraryW.KERNELBASE(?,?,00000104,?,?,?), ref: 00A9147C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DirectoryErrorLastLibraryLoadSystem
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1230559179-0
                                                                                                                                                                                                  • Opcode ID: 880d0535d2755d386d482a7147310b93db49dfd6743a33eda2d439cc033b3083
                                                                                                                                                                                                  • Instruction ID: 07f7be920a5713cd27a1d36f47dc391f9618e73bb83ef8cbddda4b9f0a9f9719
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 880d0535d2755d386d482a7147310b93db49dfd6743a33eda2d439cc033b3083
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D21D3B6F0133AA7DF20DBA4DC49F9A77ECAB44764F124565BE08EB241D630DD408AA0
                                                                                                                                                                                                  Function 00A951AE Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00AD5465,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,00AD53F9,000001C7), ref: 00A951B8
                                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,?,00AD5465,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,00AD53F9,000001C7,?,?), ref: 00A951BF
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AD5465,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,00AD53F9,000001C7,?,?), ref: 00A951C9
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$ErrorFreeLastProcess
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 406640338-0
                                                                                                                                                                                                  • Opcode ID: 0593e75f1f58a808850e496a3f75e165d8234dcc988ae9dc0403ddf4f5e3ca71
                                                                                                                                                                                                  • Instruction ID: 2705fedd98816bd02e5cd10a947b8b868cdd35d8ffbb9bf53cd6d740d0ecf6b9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0593e75f1f58a808850e496a3f75e165d8234dcc988ae9dc0403ddf4f5e3ca71
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1BD0C233B01534678621B7F69C0C6577FD8EF216A27124322FD09DB100D631CC0187E1
                                                                                                                                                                                                  Function 00AC9896 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00AC99A9,?,00AC9890,00000000,?,?,00AC99A9,4A22C385,?,00AC99A9), ref: 00AC98A7
                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,00AC9890,00000000,?,?,00AC99A9,4A22C385,?,00AC99A9), ref: 00AC98AE
                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00AC98C0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                  • Opcode ID: cdc45602ba978a73f3102b5c6d0941dd2ab54c3c71ef806dbfd55adf75b1be9a
                                                                                                                                                                                                  • Instruction ID: 6cf4bf31b50ca825c7ecb70b9b0b87343cfccd6751a41fb18508cf6dffd5b6cf
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cdc45602ba978a73f3102b5c6d0941dd2ab54c3c71ef806dbfd55adf75b1be9a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BBD09232001108AFDF01BFA1ED0EE8A3F2AAF41341B064025B90A8A031DB729992DB81
                                                                                                                                                                                                  Function 00A9582C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00AFEBD4,00000000,?,00AD8E2A,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A95840
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp, xrefs: 00A9587D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Open
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp
                                                                                                                                                                                                  • API String ID: 71445658-90795250
                                                                                                                                                                                                  • Opcode ID: 76fbed15c75711eaf68ae6b446306df93a207859cd105251be648641e7791677
                                                                                                                                                                                                  • Instruction ID: 3d9e40cc56cd5a926697b8954e69f0001f581ea92cf01b79d1b6ce20873789e6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 76fbed15c75711eaf68ae6b446306df93a207859cd105251be648641e7791677
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 30F0B432F40636678F364AA68D06A6B7DD5DB417F0F19C126BD59DF220D521CC10E7E0
                                                                                                                                                                                                  Function 00A95286 Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(?,000001C7,?,?,00A92D49,000001C7,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000), ref: 00A9529A
                                                                                                                                                                                                  • RtlReAllocateHeap.NTDLL(00000000,?,00A92D49,000001C7,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A952A1
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$AllocateProcess
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1357844191-0
                                                                                                                                                                                                  • Opcode ID: e9be09f8808325a48ef99dffb3f9620305b1815412e544e73455fb6564ffab7d
                                                                                                                                                                                                  • Instruction ID: 25516909248814b02907494bf390eb544d1ece7399ba8951f60d246346ea1dc4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e9be09f8808325a48ef99dffb3f9620305b1815412e544e73455fb6564ffab7d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2D0123225020DFFDF00EFE8DC0DDAE3BACEB686127008506F916C6110D639E5619B60
                                                                                                                                                                                                  Function 00AD7C1A Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00AD7C4F
                                                                                                                                                                                                    • Part of subcall function 00AD76B2: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00AD7C60,00000000,?,00000000), ref: 00AD76CC
                                                                                                                                                                                                    • Part of subcall function 00AD76B2: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00ABDB3B,?,00A970CB,?,00000000,?), ref: 00AD76D8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorHandleInitLastModuleVariant
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 52713655-0
                                                                                                                                                                                                  • Opcode ID: d10165ff32e0bef97898276e215cabfff9352f3d42519c801f1e5b7d251ffdf8
                                                                                                                                                                                                  • Instruction ID: 8b6650f2e5a0c9492485c704a7e153eaa5ef83cca2741c6014bee4d2912a82f5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d10165ff32e0bef97898276e215cabfff9352f3d42519c801f1e5b7d251ffdf8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0312D76E016299FCB15DFA8C884ADEF7F4EF08710F01456AED16BB311E670AD408BA0
                                                                                                                                                                                                  Function 00AD8EB5 Relevance: 1.6, APIs: 1, Instructions: 59registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(80070490,00000000,80070490,00AFEBD4,00000000,80070490,?,?,00AAA771,WiX\Burn,PackageCache,00000000,00AFEBD4,00000000,00000000,80070490), ref: 00AD8F0F
                                                                                                                                                                                                    • Part of subcall function 00A95967: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A959DD
                                                                                                                                                                                                    • Part of subcall function 00A95967: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00A95A15
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: QueryValue$Close
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1979452859-0
                                                                                                                                                                                                  • Opcode ID: f622ffb8f1d42e630eff69eb8aaaa50a7e6af283dc28c3991f11cad27160c3b7
                                                                                                                                                                                                  • Instruction ID: 8c841fcf06a4898367d0ae519d65e63520d924a8992bc1864337ec6225890e80
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f622ffb8f1d42e630eff69eb8aaaa50a7e6af283dc28c3991f11cad27160c3b7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5911E536800125EFCF22AFA8C985AAEB67AEF18764B15417BEC4367310CA394D50D7D0
                                                                                                                                                                                                  Function 00A94F1E Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00AAA82B,0000001C,80070490,00000000,00000000,80070490), ref: 00A94F3E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FolderPath
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1514166925-0
                                                                                                                                                                                                  • Opcode ID: d30d916b6728a8f7d5bbf9a8b2f7c3fa242d23ea10688d513c5f90edb26ffadb
                                                                                                                                                                                                  • Instruction ID: b6ff535cb8942f93c99f5a824f41b18e2d8c815ffd839a6411bff4108b810bc3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d30d916b6728a8f7d5bbf9a8b2f7c3fa242d23ea10688d513c5f90edb26ffadb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 94E0C7723012283BEF006AA89E04EAB3BCE9F09760B008021BE00DB000CA20EA0283B0
                                                                                                                                                                                                  Function 00A91C00 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(?,00000000,?,00A9109F,?,00000000), ref: 00A91C09
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                  • Opcode ID: c86227f674dffbd43c4d8a83b8c42cfd2b98cb70ca26c39521eda27e269d9ea5
                                                                                                                                                                                                  • Instruction ID: d5ab44f32971e480e7a5ad3252dfc9fbd3f82f0be71cd95fae0f03fe1f398c8e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c86227f674dffbd43c4d8a83b8c42cfd2b98cb70ca26c39521eda27e269d9ea5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2D05E32342135678F29AFA9A8045AABBD9EF027B17454A15FD5ACA2A0C335DC12C7C0
                                                                                                                                                                                                  Function 00AD7563 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FreeLibrary.KERNELBASE(00000000,00000000,00A97234,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AD7570
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                                  • Opcode ID: a23dc6b546310f734087d52aedd41da11ed3d6d4bd638f1331c4449076e2e805
                                                                                                                                                                                                  • Instruction ID: 66a3ea918891980ce33c4e41d2f8339f62df51fbaf4b32f2ff6dc9e794a4a714
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a23dc6b546310f734087d52aedd41da11ed3d6d4bd638f1331c4449076e2e805
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FAE0E3B29262218E8750EFD9B994965FBA8FB09F40390512BF541C2768C3B05483CF94
                                                                                                                                                                                                  Function 00AD4630 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00AD4648
                                                                                                                                                                                                    • Part of subcall function 00ABFE24: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ABFE97
                                                                                                                                                                                                    • Part of subcall function 00ABFE24: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ABFEA8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                                                  • Opcode ID: 99f6cda949a9ac091e436d1bd46a698cf48b025dbdca5a2e9b080d4917bba622
                                                                                                                                                                                                  • Instruction ID: 9c904cd308308ed7a5980dfa10ef77d7128a5add3a22f6744d945435159e4884
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 99f6cda949a9ac091e436d1bd46a698cf48b025dbdca5a2e9b080d4917bba622
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6B012A12AC205BD35046281AD02C37012CD0C1B62334466BB102C5053B540DC404035
                                                                                                                                                                                                  Function 00AD4661 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00AD4648
                                                                                                                                                                                                    • Part of subcall function 00ABFE24: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ABFE97
                                                                                                                                                                                                    • Part of subcall function 00ABFE24: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ABFEA8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                                                  • Opcode ID: 5c880d942c930d88a0be1fab13b93207b838cf76315bcb6d219f16f22d7fd00e
                                                                                                                                                                                                  • Instruction ID: ceb75ea69c1120971fa9b6e916ef36956976111e6286b4c4510fd1c935e7308e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5c880d942c930d88a0be1fab13b93207b838cf76315bcb6d219f16f22d7fd00e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2CB012912BC105BD3104A284AD02C37016CD0C5B52334852BB506C6153F5408C000032
                                                                                                                                                                                                  Function 00AD4651 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00AD4648
                                                                                                                                                                                                    • Part of subcall function 00ABFE24: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ABFE97
                                                                                                                                                                                                    • Part of subcall function 00ABFE24: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ABFEA8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                                                  • Opcode ID: d5d64e4f7c80e20b448f3b4a76cfefbd7d2c2afc496f3b075100c3978624a32e
                                                                                                                                                                                                  • Instruction ID: eb7d028a81e1bb460094c78a2c73f627dc6fcd6fc94497570ec01ea68824acca
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d5d64e4f7c80e20b448f3b4a76cfefbd7d2c2afc496f3b075100c3978624a32e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CCB012912AC205BD3104A284BE02C37016CE0C5B52334452BB106C6153F5408C010032
                                                                                                                                                                                                  Function 00ABFB65 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00ABFB5C
                                                                                                                                                                                                    • Part of subcall function 00ABFE24: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ABFE97
                                                                                                                                                                                                    • Part of subcall function 00ABFE24: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ABFEA8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                                                  • Opcode ID: 924de3dc408c61601056ad41eb9a0ed1e70921af2610d668ed3cc660c77430bc
                                                                                                                                                                                                  • Instruction ID: 62cc86690855dcffb76558f6f169d7c81717b6355edee82ff7f12fc5dbe8b33b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 924de3dc408c61601056ad41eb9a0ed1e70921af2610d668ed3cc660c77430bc
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40B012A1268045BC3108E2C49E23CB7016CD0C0B11338443AB100C705BE4404C091033
                                                                                                                                                                                                  Function 00ABFB75 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00ABFB5C
                                                                                                                                                                                                    • Part of subcall function 00ABFE24: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ABFE97
                                                                                                                                                                                                    • Part of subcall function 00ABFE24: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ABFEA8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                                                  • Opcode ID: 51e725bc7251f3308ac313c67a35042e8be12ed5459e02ce493a67ce5bb7eda2
                                                                                                                                                                                                  • Instruction ID: 666cf710fd79135c41d2b91c9a937d41fd09eb45a67be562b45ca3fb9b2501df
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 51e725bc7251f3308ac313c67a35042e8be12ed5459e02ce493a67ce5bb7eda2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5CB012A1268005BD3108E2C49D23CB7016CE0C0B11338483AF101C709BE4404C081032
                                                                                                                                                                                                  Function 00ABFB44 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00ABFB5C
                                                                                                                                                                                                    • Part of subcall function 00ABFE24: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00ABFE97
                                                                                                                                                                                                    • Part of subcall function 00ABFE24: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00ABFEA8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                                                  • Opcode ID: 5973058c553da7e98d1d7fe303604b69a3b0269918b00af5a5266f637b7a2152
                                                                                                                                                                                                  • Instruction ID: 9d8e162e298fe7f66f51708effea7a75f2caab448bfb51c98a69134a5c8df2a1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5973058c553da7e98d1d7fe303604b69a3b0269918b00af5a5266f637b7a2152
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34B012A1378005BC3208E280DD23CB7022CD0C4B51338853AB600C605BA4404C081033

                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                  Function 00AD5D9B Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 336COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00AD5E33
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AD5E3D
                                                                                                                                                                                                  • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00AD5E8A
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AD5E90
                                                                                                                                                                                                  • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00AD5ECA
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AD5ED0
                                                                                                                                                                                                  • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 00AD5F10
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AD5F16
                                                                                                                                                                                                  • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 00AD5F56
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AD5F5C
                                                                                                                                                                                                  • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 00AD5F9C
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AD5FA2
                                                                                                                                                                                                  • SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 00AD6093
                                                                                                                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 00AD60CD
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AD60D7
                                                                                                                                                                                                  • SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 00AD610F
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AD6119
                                                                                                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AD6152
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AD615C
                                                                                                                                                                                                  • CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 00AD619A
                                                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 00AD61B0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\srputil.cpp, xrefs: 00AD5E5E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\srputil.cpp
                                                                                                                                                                                                  • API String ID: 267631441-3375629851
                                                                                                                                                                                                  • Opcode ID: 0fa74202b39eb4aec4331a2f2bd20203c91e3d3913b147aa627bb20904b26306
                                                                                                                                                                                                  • Instruction ID: 3d7a8313c430284d51c745f131a76df11f8abd461d53195dc4620ffebb52fa3d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0fa74202b39eb4aec4331a2f2bd20203c91e3d3913b147aa627bb20904b26306
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0C15476D41639ABDB20DFA5CD48FDAFBB8AF54750F01019BE906FB240D6709E408EA1
                                                                                                                                                                                                  Function 00ABDE46 Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 375COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to copy download source for pseudo bundle., xrefs: 00ABDF7C
                                                                                                                                                                                                  • Failed to copy key for pseudo bundle., xrefs: 00ABE053
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\pseudobundle.cpp, xrefs: 00ABDE8C, 00ABDEC5, 00ABDFB4, 00ABE1E5
                                                                                                                                                                                                  • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 00ABDED1
                                                                                                                                                                                                  • Failed to copy repair arguments for related bundle package, xrefs: 00ABE0E3
                                                                                                                                                                                                  • Failed to copy display name for pseudo bundle., xrefs: 00ABE262
                                                                                                                                                                                                  • Failed to copy cache id for pseudo bundle., xrefs: 00ABE072
                                                                                                                                                                                                  • Failed to append relation type to uninstall arguments for related bundle package, xrefs: 00ABE157
                                                                                                                                                                                                  • Failed to copy key for pseudo bundle payload., xrefs: 00ABDF06
                                                                                                                                                                                                  • Failed to append relation type to install arguments for related bundle package, xrefs: 00ABE0BB
                                                                                                                                                                                                  • Failed to allocate memory for dependency providers., xrefs: 00ABE1F1
                                                                                                                                                                                                  • Failed to append relation type to repair arguments for related bundle package, xrefs: 00ABE104
                                                                                                                                                                                                  • Failed to copy uninstall arguments for related bundle package, xrefs: 00ABE136
                                                                                                                                                                                                  • Failed to copy filename for pseudo bundle., xrefs: 00ABDF2A
                                                                                                                                                                                                  • Failed to copy install arguments for related bundle package, xrefs: 00ABE09A
                                                                                                                                                                                                  • Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 00ABDE98
                                                                                                                                                                                                  • Failed to copy local source path for pseudo bundle., xrefs: 00ABDF4E
                                                                                                                                                                                                  • -%ls, xrefs: 00ABDE63
                                                                                                                                                                                                  • Failed to copy version for pseudo bundle., xrefs: 00ABE240
                                                                                                                                                                                                  • Failed to allocate memory for pseudo bundle payload hash., xrefs: 00ABDFC0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$AllocateProcess
                                                                                                                                                                                                  • String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$c:\agent\_work\36\s\wix\src\burn\engine\pseudobundle.cpp
                                                                                                                                                                                                  • API String ID: 1357844191-2874107706
                                                                                                                                                                                                  • Opcode ID: 75dec23bec4da82c89c3b100565c7abd9a9c8e33f9761559bb597a92f8d153c6
                                                                                                                                                                                                  • Instruction ID: 9df22789f7d7de66b573997b2faac8c65ab22e110cb5ffe34f1072634670a08d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 75dec23bec4da82c89c3b100565c7abd9a9c8e33f9761559bb597a92f8d153c6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B6C1AA72B41656BFDF16DF78C842AFA76ACBB18700F044629F905EB252E770EC108B90
                                                                                                                                                                                                  Function 00A962C2 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 140sleepshutdownCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 00A962EB
                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00A962F2
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00A962FC
                                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00A9634C
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A96356
                                                                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 00A9639A
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A963A4
                                                                                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 00A963E0
                                                                                                                                                                                                  • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 00A963F1
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A963FB
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00A96451
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
                                                                                                                                                                                                  • String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp
                                                                                                                                                                                                  • API String ID: 2241679041-3077915282
                                                                                                                                                                                                  • Opcode ID: 46b59cbf09756662bf9f01a34671c84ebec120151007d1ba7ee67c7317baca27
                                                                                                                                                                                                  • Instruction ID: 5203a7ef722decf81a5d41b450372b892c37797c841afd141836462edb423fa3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 46b59cbf09756662bf9f01a34671c84ebec120151007d1ba7ee67c7317baca27
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC417476B81235BBDB20A7E49D8AB6F76E8BF00B50F110526FD43FE290D5649D0185E1
                                                                                                                                                                                                  Function 00AA6BA2 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 164pipeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 00AA6BD0
                                                                                                                                                                                                  • GetLastError.KERNEL32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000,?,00000000,?,?,00A96205,?), ref: 00AA6BD9
                                                                                                                                                                                                  • CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,00A96205,?), ref: 00AA6C7B
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A96205,?), ref: 00AA6C88
                                                                                                                                                                                                  • CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,00000000,?,?,?,?,?,?,?,00A96205), ref: 00AA6D03
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00A96205,?), ref: 00AA6D0E
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,00A96205,?), ref: 00AA6D4E
                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,00A96205,?), ref: 00AA6D7C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • \\.\pipe\%ls, xrefs: 00AA6C31
                                                                                                                                                                                                  • Failed to create pipe: %ls, xrefs: 00AA6CB9, 00AA6D3F
                                                                                                                                                                                                  • Failed to create the security descriptor for the connection event and pipe., xrefs: 00AA6C07
                                                                                                                                                                                                  • D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 00AA6BCB
                                                                                                                                                                                                  • \\.\pipe\%ls.Cache, xrefs: 00AA6CCF
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp, xrefs: 00AA6BFD, 00AA6CAC, 00AA6D32
                                                                                                                                                                                                  • Failed to allocate full name of pipe: %ls, xrefs: 00AA6C47
                                                                                                                                                                                                  • Failed to allocate full name of cache pipe: %ls, xrefs: 00AA6CE5
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
                                                                                                                                                                                                  • String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp
                                                                                                                                                                                                  • API String ID: 1214480349-2351670871
                                                                                                                                                                                                  • Opcode ID: 0b000f60fb827d1155e5e2f872bd64de85829afa5092cbd2c6359de54bd52837
                                                                                                                                                                                                  • Instruction ID: 699f33c990cbcbc23381ddfb89b58448e4f617d30b4c67c506a15d46b29900fa
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0b000f60fb827d1155e5e2f872bd64de85829afa5092cbd2c6359de54bd52837
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4510332E80625BBDB219FA4CD46B9EBBB4EF01720F140625FD00BB1D0E3759E808E90
                                                                                                                                                                                                  Function 00AD4C0F Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 172encryptionfileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,00AABB5C,00000003,000007D0,00000003,?,000007D0,?,000007D0), ref: 00AD4C74
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD4C7E
                                                                                                                                                                                                  • CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 00AD4CBB
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD4CC5
                                                                                                                                                                                                  • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00AD4D0C
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 00AD4D30
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD4D3A
                                                                                                                                                                                                  • CryptDestroyHash.ADVAPI32(00000000), ref: 00AD4D77
                                                                                                                                                                                                  • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00AD4D8E
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD4DA7
                                                                                                                                                                                                  • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00AD4DDF
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD4DE9
                                                                                                                                                                                                  • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 00AD4E22
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD4E30
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\cryputil.cpp, xrefs: 00AD4D5E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\cryputil.cpp
                                                                                                                                                                                                  • API String ID: 3955742341-2104629985
                                                                                                                                                                                                  • Opcode ID: 190e84444b099e47be7e732480f62a1fc9eff3c2aa21ddd46eca0e12e1e6d643
                                                                                                                                                                                                  • Instruction ID: dec95b054e8cc0855eb9055d5be44739f528f4f132287420ec7647d8eec52a97
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 190e84444b099e47be7e732480f62a1fc9eff3c2aa21ddd46eca0e12e1e6d643
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D51C936D41139ABDB31DB948D08BDA7B74BF08751F010166BE8AFB250D7B49D80CAE1
                                                                                                                                                                                                  Function 00AABAF6 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 180COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • moving, xrefs: 00AABC81
                                                                                                                                                                                                  • Failed to get cached path for package with cache id: %ls, xrefs: 00AABB20
                                                                                                                                                                                                  • copying, xrefs: 00AABC88, 00AABC90
                                                                                                                                                                                                  • Failed to concat complete cached path., xrefs: 00AABB4C
                                                                                                                                                                                                  • Failed to transfer working path to unverified path for payload: %ls., xrefs: 00AABBFC
                                                                                                                                                                                                  • Failed to create unverified path., xrefs: 00AABBC6
                                                                                                                                                                                                  • Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 00AABC23
                                                                                                                                                                                                  • Failed to reset permissions on unverified cached payload: %ls, xrefs: 00AABC49
                                                                                                                                                                                                  • Failed to move verified file to complete payload path: %ls, xrefs: 00AABCC4
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
                                                                                                                                                                                                  • API String ID: 0-1289240508
                                                                                                                                                                                                  • Opcode ID: 2370f43d422328d164a8f5bbc7121512e178647230a06510350d70ef8693c9e4
                                                                                                                                                                                                  • Instruction ID: ed188545f9aa7c0fd02b32d61cff23b9f160a9641cca1fb488eeebae3df2ff1d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2370f43d422328d164a8f5bbc7121512e178647230a06510350d70ef8693c9e4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09519D36E00119FBDF226FA4CE42F9D7BB1AF19350F104151F901761A2EB769E60EBA1
                                                                                                                                                                                                  Function 00A97FA9 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 143COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetVersionExW.KERNEL32(0000011C), ref: 00A97FF7
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A98001
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get OS info., xrefs: 00A9802F
                                                                                                                                                                                                  • Failed to set variant value., xrefs: 00A98122
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp, xrefs: 00A98025
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastVersion
                                                                                                                                                                                                  • String ID: Failed to get OS info.$Failed to set variant value.$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp
                                                                                                                                                                                                  • API String ID: 305913169-2053068304
                                                                                                                                                                                                  • Opcode ID: 25fa7175e0cc45f3e5d86aa2b418d498ef4307df78ccc3a436f74e902c41e6dd
                                                                                                                                                                                                  • Instruction ID: 260cd6dd134ae2a495a5278c92e68b7a302ab77f5efcc1402784ba184e7a07d5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25fa7175e0cc45f3e5d86aa2b418d498ef4307df78ccc3a436f74e902c41e6dd
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E419672B01228ABDF20DB69CC45EEF7BF8EB46710F10065AB545E7141DB749E85CB90
                                                                                                                                                                                                  Function 00AD506D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131threadtimeCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00AFF764,00000000,?,?,?,?,00AB2E9E,8007139F,Invalid operation for this state.,c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 00AD509B
                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(00000000,?,00AB2E9E,8007139F,Invalid operation for this state.,c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 00AD50AB
                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00AD50B4
                                                                                                                                                                                                  • GetLocalTime.KERNEL32(8007139F,?,00AB2E9E,8007139F,Invalid operation for this state.,c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 00AD50CA
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00AFF764,00AB2E9E,?,00000000,0000FDE9,?,00AB2E9E,8007139F,Invalid operation for this state.,c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 00AD51C1
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 00AD5167
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
                                                                                                                                                                                                  • String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
                                                                                                                                                                                                  • API String ID: 296830338-59366893
                                                                                                                                                                                                  • Opcode ID: 952ef5fa3297a48944d112982b1a1fb6c7a95def4eb737718665a6859d85d773
                                                                                                                                                                                                  • Instruction ID: 87d6700c5de736d85fe3c5372c0863e81b0ac73014852a43c976dbb591bedf5b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 952ef5fa3297a48944d112982b1a1fb6c7a95def4eb737718665a6859d85d773
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A415271E01619AFDF21EFE4DC45BBEB7B5EB08755F100226F902A6250D6349D41C7A1
                                                                                                                                                                                                  Function 00AAB79F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,*.*,?,?,?,00000000,00000000,.unverified,?,?,?,00000000), ref: 00AAB84E
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00AAB875
                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00AAB8D5
                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00AAB8E0
                                                                                                                                                                                                    • Part of subcall function 00A91700: GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00A9175F
                                                                                                                                                                                                    • Part of subcall function 00A91700: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00A91772
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
                                                                                                                                                                                                  • String ID: *.*$.unverified
                                                                                                                                                                                                  • API String ID: 457978746-2528915496
                                                                                                                                                                                                  • Opcode ID: cc20c0c4350f8e4899253a4956d3014800fd1359214fc8cef42c9472b06f41a9
                                                                                                                                                                                                  • Instruction ID: 284cca686af0795ae8b8bd38eec87b9ddf4beb7f6173e42dba3552e328569097
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc20c0c4350f8e4899253a4956d3014800fd1359214fc8cef42c9472b06f41a9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BC41917191116CAADF21ABA4DD49BEEB7B8AF49301F1001E5F504A60A1DB748ED4CF64
                                                                                                                                                                                                  Function 00ADBE87 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 76timeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 00ADBEDC
                                                                                                                                                                                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 00ADBEEE
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 00ADBF39
                                                                                                                                                                                                  • crypt32.dll, xrefs: 00ADBEAC
                                                                                                                                                                                                  • %04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 00ADBEC5
                                                                                                                                                                                                  • feclient.dll, xrefs: 00ADBEB6
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Time$InformationLocalSpecificSystemZone
                                                                                                                                                                                                  • String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
                                                                                                                                                                                                  • API String ID: 1772835396-1985132828
                                                                                                                                                                                                  • Opcode ID: 833f870f948f03648331a016f3341e339abf426e497ce1a8751ee8e6df06f502
                                                                                                                                                                                                  • Instruction ID: 0186ebce4b35f452dffaea68b53b7ec2d0896104e70e847dd04fe47b3cd093b2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 833f870f948f03648331a016f3341e339abf426e497ce1a8751ee8e6df06f502
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B1210CA2901128FADB60DB998C05FBBB3FCAB4CB11F00845AB945D6180E678AE80D771
                                                                                                                                                                                                  Function 00A97E8C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get the user name., xrefs: 00A97EEF
                                                                                                                                                                                                  • Failed to set variant value., xrefs: 00A97F0B
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp, xrefs: 00A97EE5
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastNameUser
                                                                                                                                                                                                  • String ID: Failed to get the user name.$Failed to set variant value.$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp
                                                                                                                                                                                                  • API String ID: 2054405381-3911104314
                                                                                                                                                                                                  • Opcode ID: 7bdb83ff320c95636bfd095cf806e5436bc1bbaa955e83c166607afbd17c19fe
                                                                                                                                                                                                  • Instruction ID: 50f83e4e970e28998e93ea32065e147a91f2d4456acb2a484fe457277def8d8e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7bdb83ff320c95636bfd095cf806e5436bc1bbaa955e83c166607afbd17c19fe
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B01F932B45238A7DB11DB95DD45FAF77E8AF00720F100257F841F7281DA749D448AE0
                                                                                                                                                                                                  Function 00A92A4C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54windowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FormatMessageW.KERNEL32(00A95F55,00A97154,?,00000000,00000000,00000000,?,80070656,?,?,?,00AB03E0,00000000,00A97154,00000000,80070656), ref: 00A92A7D
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00AB03E0,00000000,00A97154,00000000,80070656,?,?,00AA5D7A,00A97154,?,80070656,00000001,crypt32.dll), ref: 00A92A8A
                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,00AB03E0,00000000,00A97154,00000000,80070656,?,?,00AA5D7A,00A97154), ref: 00A92AD1
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\strutil.cpp, xrefs: 00A92AAE
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\strutil.cpp
                                                                                                                                                                                                  • API String ID: 1365068426-3940310746
                                                                                                                                                                                                  • Opcode ID: 5b555d3cafda4ec0caf8143e5583ed60ecbec239227213d74c5d03042d686d85
                                                                                                                                                                                                  • Instruction ID: 076da764221d91e8a0e60e8c42e37d5337c591c93bdcfcef660939b5a29eb96f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b555d3cafda4ec0caf8143e5583ed60ecbec239227213d74c5d03042d686d85
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F0139B7A41139BBDB20DB94CD09A9E7AE8EB14790F014162BD01EA250E6309E009BE1
                                                                                                                                                                                                  Function 00AB8718 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00AB86C4,00000000,00000003), ref: 00AB872F
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AB86C4,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,00AB8AB3,?), ref: 00AB8739
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\msuengine.cpp, xrefs: 00AB875D
                                                                                                                                                                                                  • Failed to set service start type., xrefs: 00AB8767
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ChangeConfigErrorLastService
                                                                                                                                                                                                  • String ID: Failed to set service start type.$c:\agent\_work\36\s\wix\src\burn\engine\msuengine.cpp
                                                                                                                                                                                                  • API String ID: 1456623077-3116139963
                                                                                                                                                                                                  • Opcode ID: 1a0455fe6c71117359c11fffc9ce57e14bf1285c9ccd9d318dd99625aa2e064b
                                                                                                                                                                                                  • Instruction ID: 46bb6b3b8917dc0558fe5d1d1f656ffa8ca947c2a3f314cf042215ba1a9a158c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a0455fe6c71117359c11fffc9ce57e14bf1285c9ccd9d318dd99625aa2e064b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7F0A73768513573472066D99C09EDB7E5CAF017B0B210311BD24BA2D2DE148C00C1E0
                                                                                                                                                                                                  Function 00ACA7B3 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _strrchr
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3213747228-0
                                                                                                                                                                                                  • Opcode ID: ead356c5c32556b7493eed0f8bb121733e1b08aafb7c0748a54a06101f233c3c
                                                                                                                                                                                                  • Instruction ID: af1a1c87a709176ea1a6cb2988256bbd0795f81841d84039695fb4f254570694
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ead356c5c32556b7493eed0f8bb121733e1b08aafb7c0748a54a06101f233c3c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5EB14872D002499FDB158F68C881FFEBBF5EF65358F16816EE841AB241D2349D01CBA2
                                                                                                                                                                                                  Function 00AC8567 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00AC865F
                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00AC8669
                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AC8676
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                                                                                  • Opcode ID: 82e63a038d35283cc29c5cad429cafb995608f364fe52c97d3859359a22b15f9
                                                                                                                                                                                                  • Instruction ID: da354998909102cd35a29aed6c3bb4bc465932a5cf468d1301ea01071870f469
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 82e63a038d35283cc29c5cad429cafb995608f364fe52c97d3859359a22b15f9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D31C27494122C9BCB21DF64D989B9DBBB8BF08310F5141EAE40DA7291EB749F858F44
                                                                                                                                                                                                  Function 00AD80B4 Relevance: 3.1, APIs: 2, Instructions: 57memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00AD8243: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00AD80E3,?), ref: 00AD82B4
                                                                                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00AD8107
                                                                                                                                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AD8118
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AllocateCheckCloseInitializeMembershipToken
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2114926846-0
                                                                                                                                                                                                  • Opcode ID: efafe51ba908d4781c26c3e283501c3a4b35607f950ab713e277b1d45685bdf6
                                                                                                                                                                                                  • Instruction ID: e71a8dff9ed5215bc6f14d4de91a973bfe26d09318768a8519efea1e60d89b47
                                                                                                                                                                                                  • Opcode Fuzzy Hash: efafe51ba908d4781c26c3e283501c3a4b35607f950ab713e277b1d45685bdf6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BF112AB190021AABDF10DFA4DC85FAEB7F8FF08304F50442AA502A6241DB749A49CB60
                                                                                                                                                                                                  Function 00ACC1FB Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 4da19e509b431cf1fd742d63bc4730843c660963edd5c1a92fb8d6bd2ccd4690
                                                                                                                                                                                                  • Instruction ID: 0751d3d34703a01d3ccc40cb5b9619f4778c0531fe8d960c86775930f8897dae
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4da19e509b431cf1fd742d63bc4730843c660963edd5c1a92fb8d6bd2ccd4690
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B31B976900219AFDB20EFE9DC89EBBB77DEB84320F15415DF91997245EA30AD408B60
                                                                                                                                                                                                  Function 00ACCFDC Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 52233dcc3afeec86bc109230461ab1905b41ea3ccd3531e9e623be9d7a98d6ff
                                                                                                                                                                                                  • Instruction ID: 5bfd0ae240df17de2079298e335904733cdfabfaacd6c7f9ac68dbac1db4b75c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 52233dcc3afeec86bc109230461ab1905b41ea3ccd3531e9e623be9d7a98d6ff
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 72E0B672911268EBCB15DB9D8A48E8AF2ECEB49B50B5644AAB512D3111C670EE01C7D1
                                                                                                                                                                                                  Function 00AC98C7 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 59493fc341010ff091ee50c0570da18d76cdd87273cf1deb75690fdc3fb12d39
                                                                                                                                                                                                  • Instruction ID: 5f2a2039e8fc8050c6bf63b17887927b258f5427a59c448d8393bfd1e7a97fbf
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 59493fc341010ff091ee50c0570da18d76cdd87273cf1deb75690fdc3fb12d39
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F5C08C38840A004BCE29AB108375BA63355A392782F8104CCC8160B642EA1E9C82EB00
                                                                                                                                                                                                  Function 00AA1C6D Relevance: 86.2, APIs: 1, Strings: 48, Instructions: 482registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000), ref: 00AA2263
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                                  • String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.14.1.8722$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update name and publisher.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor$crypt32.dll
                                                                                                                                                                                                  • API String ID: 3535843008-4226525285
                                                                                                                                                                                                  • Opcode ID: 6ac6e38c55f6d48fb319defce46b8a598905844ef8d91dd68c193bb24fe1cdc9
                                                                                                                                                                                                  • Instruction ID: ddb7f93d2e22deb8c89dbf3449ba04aaa7de2b82649c7bcc67fad85b6040a02b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ac6e38c55f6d48fb319defce46b8a598905844ef8d91dd68c193bb24fe1cdc9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A3F1D431E41A66BBDF235A69CD02FE976A9BF15710F150261FD00BB2E1D761AD30A7C0
                                                                                                                                                                                                  Function 00A9EAB3 Relevance: 73.9, APIs: 3, Strings: 39, Instructions: 365COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,00A97123,00000000,00ADFD50,00A9710B,00000000), ref: 00A9EBE9
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • CertificateRootPublicKeyIdentifier, xrefs: 00A9ED33
                                                                                                                                                                                                  • Hash, xrefs: 00A9EDAD
                                                                                                                                                                                                  • Catalog, xrefs: 00A9EDE2
                                                                                                                                                                                                  • Failed to get @DownloadUrl., xrefs: 00A9EEDE
                                                                                                                                                                                                  • Failed to hex decode @CertificateRootThumbprint., xrefs: 00A9EEB4
                                                                                                                                                                                                  • Failed to parse @FileSize., xrefs: 00A9EE95
                                                                                                                                                                                                  • Failed to get payload node count., xrefs: 00A9EB06
                                                                                                                                                                                                  • Failed to get @Packaging., xrefs: 00A9EF07
                                                                                                                                                                                                  • Failed to get @LayoutOnly., xrefs: 00A9EE8B
                                                                                                                                                                                                  • FilePath, xrefs: 00A9EBA1
                                                                                                                                                                                                  • embedded, xrefs: 00A9EBFB
                                                                                                                                                                                                  • Failed to get @CertificateRootThumbprint., xrefs: 00A9EEBB
                                                                                                                                                                                                  • DownloadUrl, xrefs: 00A9ECCF
                                                                                                                                                                                                  • Failed to to find container: %ls, xrefs: 00A9EE7A
                                                                                                                                                                                                  • download, xrefs: 00A9EBDB
                                                                                                                                                                                                  • Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 00A9EEAD
                                                                                                                                                                                                  • Failed to get @Id., xrefs: 00A9EF15
                                                                                                                                                                                                  • CertificateRootThumbprint, xrefs: 00A9ED70
                                                                                                                                                                                                  • LayoutOnly, xrefs: 00A9EC83
                                                                                                                                                                                                  • Failed to allocate memory for payload structs., xrefs: 00A9EB3F
                                                                                                                                                                                                  • Invalid value for @Packaging: %ls, xrefs: 00A9EEF4
                                                                                                                                                                                                  • Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 00A9EEA6
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\payload.cpp, xrefs: 00A9EB35
                                                                                                                                                                                                  • external, xrefs: 00A9EC17
                                                                                                                                                                                                  • FileSize, xrefs: 00A9ECF8
                                                                                                                                                                                                  • SourcePath, xrefs: 00A9ECA6
                                                                                                                                                                                                  • Container, xrefs: 00A9EC41
                                                                                                                                                                                                  • Payload, xrefs: 00A9EACE
                                                                                                                                                                                                  • Failed to get next node., xrefs: 00A9EF1C
                                                                                                                                                                                                  • Failed to get @Container., xrefs: 00A9EE81
                                                                                                                                                                                                  • Failed to find catalog., xrefs: 00A9EEC2
                                                                                                                                                                                                  • Failed to get @Hash., xrefs: 00A9EED7
                                                                                                                                                                                                  • Failed to get @SourcePath., xrefs: 00A9EEE5
                                                                                                                                                                                                  • Failed to select payload nodes., xrefs: 00A9EAE1
                                                                                                                                                                                                  • Failed to get @FileSize., xrefs: 00A9EE9F
                                                                                                                                                                                                  • Failed to get @Catalog., xrefs: 00A9EEC9
                                                                                                                                                                                                  • Packaging, xrefs: 00A9EBBC
                                                                                                                                                                                                  • Failed to hex decode the Payload/@Hash., xrefs: 00A9EED0
                                                                                                                                                                                                  • Failed to get @FilePath., xrefs: 00A9EF0E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$AllocateCompareProcessString
                                                                                                                                                                                                  • String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$c:\agent\_work\36\s\wix\src\burn\engine\payload.cpp$download$embedded$external
                                                                                                                                                                                                  • API String ID: 1171520630-2068965531
                                                                                                                                                                                                  • Opcode ID: 40869b190216aa463e31cf8f96493a865914e50971ef812ca9aa642e5d1efe00
                                                                                                                                                                                                  • Instruction ID: 7f2c4fc01592838c808fcf286b768e71b9751494f132965ee56f79b6358593c4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 40869b190216aa463e31cf8f96493a865914e50971ef812ca9aa642e5d1efe00
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0AC1C532B4462ABBCF21DB94CD41F6DB6F8BB04B10F104666F911B7292D771AE509790
                                                                                                                                                                                                  Function 00A9A1A0 Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00A9710B,?,00000000,80070490,?,?,?,?,?,?,?,?,00ABDCD5,?,00A9710B,?), ref: 00A9A1D1
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00A9710B,?,?,?,?,?,?,?,?,00ABDCD5,?,00A9710B,?,00A9710B,00A9710B,Chain), ref: 00A9A534
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • numeric, xrefs: 00A9A2E6
                                                                                                                                                                                                  • Persisted, xrefs: 00A9A274
                                                                                                                                                                                                  • Initializing hidden variable '%ls', xrefs: 00A9A39B
                                                                                                                                                                                                  • Failed to get @Persisted., xrefs: 00A9A511
                                                                                                                                                                                                  • Failed to select variable nodes., xrefs: 00A9A1EE
                                                                                                                                                                                                  • Failed to get @Value., xrefs: 00A9A4BC
                                                                                                                                                                                                  • string, xrefs: 00A9A321
                                                                                                                                                                                                  • Failed to get @Id., xrefs: 00A9A51F
                                                                                                                                                                                                  • Failed to insert variable '%ls'., xrefs: 00A9A4C6
                                                                                                                                                                                                  • Hidden, xrefs: 00A9A259
                                                                                                                                                                                                  • Failed to change variant type., xrefs: 00A9A50A
                                                                                                                                                                                                  • Initializing version variable '%ls' to value '%ls', xrefs: 00A9A37D
                                                                                                                                                                                                  • Variable, xrefs: 00A9A1DB
                                                                                                                                                                                                  • Failed to set variant value., xrefs: 00A9A4B5
                                                                                                                                                                                                  • Failed to get next node., xrefs: 00A9A526
                                                                                                                                                                                                  • Failed to get @Type., xrefs: 00A9A4AE
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp, xrefs: 00A9A4E9
                                                                                                                                                                                                  • Failed to find variable value '%ls'., xrefs: 00A9A502
                                                                                                                                                                                                  • Attempt to set built-in variable value: %ls, xrefs: 00A9A4F8
                                                                                                                                                                                                  • Initializing numeric variable '%ls' to value '%ls', xrefs: 00A9A30C
                                                                                                                                                                                                  • Failed to set value of variable: %ls, xrefs: 00A9A4D7
                                                                                                                                                                                                  • Initializing string variable '%ls' to value '%ls', xrefs: 00A9A344
                                                                                                                                                                                                  • Type, xrefs: 00A9A2CD
                                                                                                                                                                                                  • Failed to get variable node count., xrefs: 00A9A20B
                                                                                                                                                                                                  • Invalid value for @Type: %ls, xrefs: 00A9A49B
                                                                                                                                                                                                  • Value, xrefs: 00A9A28F
                                                                                                                                                                                                  • Failed to set variant encryption, xrefs: 00A9A4CD
                                                                                                                                                                                                  • Failed to get @Hidden., xrefs: 00A9A518
                                                                                                                                                                                                  • version, xrefs: 00A9A356
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                  • String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp$numeric$string$version
                                                                                                                                                                                                  • API String ID: 3168844106-3004887034
                                                                                                                                                                                                  • Opcode ID: 55dc0426ece7d91b07c10bee5e783570534b81b79d1de53ee64f78acb898e037
                                                                                                                                                                                                  • Instruction ID: 56c82ce23f0c66e098abae16edea25906d3c27e1ce61030cbe17f0e20d62f4ec
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 55dc0426ece7d91b07c10bee5e783570534b81b79d1de53ee64f78acb898e037
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FAB1D232F00229BBCF11AB94CC45EAEBBF5BF54710F114663F916BA291D7709A409BD2
                                                                                                                                                                                                  Function 00AB8857 Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 378COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00AADAB6,00000007,?,?,?), ref: 00AB88AB
                                                                                                                                                                                                    • Part of subcall function 00AD5CD2: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00A97B69,00000000), ref: 00AD5CE7
                                                                                                                                                                                                    • Part of subcall function 00AD5CD2: GetProcAddress.KERNEL32(00000000), ref: 00AD5CEE
                                                                                                                                                                                                    • Part of subcall function 00AD5CD2: GetLastError.KERNEL32(?,?,?,?,00A97B69,00000000), ref: 00AD5D09
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 00AB8C9A
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 00AB8CAE
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • WixBundleExecutePackageCacheFolder, xrefs: 00AB8996, 00AB8CC6
                                                                                                                                                                                                  • Failed to find Windows directory., xrefs: 00AB88EA
                                                                                                                                                                                                  • Failed to build MSU path., xrefs: 00AB89C0
                                                                                                                                                                                                  • Failed to get action arguments for MSU package., xrefs: 00AB8961
                                                                                                                                                                                                  • Failed to get process exit code., xrefs: 00AB8BB7
                                                                                                                                                                                                  • Failed to find System32 directory., xrefs: 00AB8920
                                                                                                                                                                                                  • /log:, xrefs: 00AB8A2D
                                                                                                                                                                                                  • SysNative\, xrefs: 00AB88F5
                                                                                                                                                                                                  • Failed to get cached path for package: %ls, xrefs: 00AB8987
                                                                                                                                                                                                  • Bootstrapper application aborted during MSU progress., xrefs: 00AB8BDF
                                                                                                                                                                                                  • Failed to determine WOW64 status., xrefs: 00AB88BD
                                                                                                                                                                                                  • 2, xrefs: 00AB8B3E
                                                                                                                                                                                                  • Failed to format MSU uninstall command., xrefs: 00AB8A14
                                                                                                                                                                                                  • D, xrefs: 00AB8AC6
                                                                                                                                                                                                  • Failed to wait for executable to complete: %ls, xrefs: 00AB8C29
                                                                                                                                                                                                  • "%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 00AB8A00
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\msuengine.cpp, xrefs: 00AB8B18, 00AB8BAD, 00AB8BD5
                                                                                                                                                                                                  • wusa.exe, xrefs: 00AB892B
                                                                                                                                                                                                  • Failed to format MSU install command., xrefs: 00AB89E7
                                                                                                                                                                                                  • "%ls" "%ls" /quiet /norestart, xrefs: 00AB89D3
                                                                                                                                                                                                  • Failed to CreateProcess on path: %ls, xrefs: 00AB8B25
                                                                                                                                                                                                  • Failed to append log switch to MSU command-line., xrefs: 00AB8A41
                                                                                                                                                                                                  • Failed to allocate WUSA.exe path., xrefs: 00AB893E
                                                                                                                                                                                                  • Failed to append SysNative directory., xrefs: 00AB8908
                                                                                                                                                                                                  • Failed to append log path to MSU command-line., xrefs: 00AB8A5F
                                                                                                                                                                                                  • Failed to ensure WU service was enabled to install MSU package., xrefs: 00AB8AB9
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
                                                                                                                                                                                                  • String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$c:\agent\_work\36\s\wix\src\burn\engine\msuengine.cpp$wusa.exe
                                                                                                                                                                                                  • API String ID: 1400713077-12544174
                                                                                                                                                                                                  • Opcode ID: 608c9ddc597f99ba4e4e66b51ff9cd357bb6bc31061ad19484ef2fb4a666bbcf
                                                                                                                                                                                                  • Instruction ID: 1fad020cbfb27117504a4caf90c92edd4888b7c3c2ab2514156784a3e25da0ca
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 608c9ddc597f99ba4e4e66b51ff9cd357bb6bc31061ad19484ef2fb4a666bbcf
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66D18E71B4121ABBDF119FE8CD85EEEBBBCBB08700F104525F601A6192DBB89A44DB51
                                                                                                                                                                                                  Function 00ABEF35 Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 283synchronizationprocessCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • UuidCreate.RPCRT4(?), ref: 00ABEFAA
                                                                                                                                                                                                  • StringFromGUID2.OLE32(?,?,00000027), ref: 00ABEFD3
                                                                                                                                                                                                  • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 00ABF0BC
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?), ref: 00ABF0C6
                                                                                                                                                                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 00ABF15F
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00ADE500,000000FF,?,?,?,?), ref: 00ABF16A
                                                                                                                                                                                                  • ReleaseMutex.KERNEL32(00ADE500,?,?,?,?), ref: 00ABF194
                                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00ABF1B5
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?), ref: 00ABF1C3
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?), ref: 00ABF1FB
                                                                                                                                                                                                    • Part of subcall function 00ABEE3D: WaitForSingleObject.KERNEL32(?,000000FF,76F930B0,00000000,?,?,?,00ABF139,?), ref: 00ABEE5C
                                                                                                                                                                                                    • Part of subcall function 00ABEE3D: ReleaseMutex.KERNEL32(?,?,?,00ABF139,?), ref: 00ABEE70
                                                                                                                                                                                                    • Part of subcall function 00ABEE3D: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00ABEEB5
                                                                                                                                                                                                    • Part of subcall function 00ABEE3D: ReleaseMutex.KERNEL32(?), ref: 00ABEEC8
                                                                                                                                                                                                    • Part of subcall function 00ABEE3D: SetEvent.KERNEL32(?), ref: 00ABEED1
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 00ABF2A4
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 00ABF2BC
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to wait for netfx chainer process to complete, xrefs: 00ABF229
                                                                                                                                                                                                  • Failed to get netfx return code., xrefs: 00ABF1F1
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\netfxchainer.cpp, xrefs: 00ABEFE8, 00ABF0EA, 00ABF1E7, 00ABF21F
                                                                                                                                                                                                  • D, xrefs: 00ABF0A1
                                                                                                                                                                                                  • Failed to create netfx chainer., xrefs: 00ABF055
                                                                                                                                                                                                  • Failed to create netfx chainer guid., xrefs: 00ABEFB7
                                                                                                                                                                                                  • NetFxSection.%ls, xrefs: 00ABF000
                                                                                                                                                                                                  • %ls /pipe %ls, xrefs: 00ABF076
                                                                                                                                                                                                  • Failed to allocate section name., xrefs: 00ABF014
                                                                                                                                                                                                  • Failed to CreateProcess on path: %ls, xrefs: 00ABF0F5
                                                                                                                                                                                                  • Failed to allocate netfx chainer arguments., xrefs: 00ABF08A
                                                                                                                                                                                                  • Failed to allocate event name., xrefs: 00ABF036
                                                                                                                                                                                                  • NetFxEvent.%ls, xrefs: 00ABF022
                                                                                                                                                                                                  • Failed to convert netfx chainer guid into string., xrefs: 00ABEFF2
                                                                                                                                                                                                  • Failed to process netfx chainer message., xrefs: 00ABF13F
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Wait$ErrorLastMutexObjectReleaseSingle$CloseCreateHandleProcess$CodeEventExitFromMultipleObjectsStringUuid
                                                                                                                                                                                                  • String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxEvent.%ls$NetFxSection.%ls$c:\agent\_work\36\s\wix\src\burn\engine\netfxchainer.cpp
                                                                                                                                                                                                  • API String ID: 1533322865-1631416786
                                                                                                                                                                                                  • Opcode ID: f614da0d5d4ce21e2d71f7dafe7a6e662a55868fe5cfb5c89a063a5a130899e5
                                                                                                                                                                                                  • Instruction ID: 7a1bcb7a5b9bd47fb42408846e256d35a67969777ba136ce7c2e0955bd45677b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f614da0d5d4ce21e2d71f7dafe7a6e662a55868fe5cfb5c89a063a5a130899e5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2A1B136E40229AFDF20DBA8DD45BEEB7B8BB04310F154565FA09BB252E7359D408F90
                                                                                                                                                                                                  Function 00ADAA67 Relevance: 45.8, APIs: 13, Strings: 13, Instructions: 339COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 00ADAB7A
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADAD43
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADADE0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: String$FreeHeap$AllocateCompareProcess
                                                                                                                                                                                                  • String ID: ($@$author$c:\agent\_work\36\s\wix\src\libs\dutil\atomutil.cpp$category$entry$generator$icon$link$logo$subtitle$title$updated
                                                                                                                                                                                                  • API String ID: 1555028553-309237817
                                                                                                                                                                                                  • Opcode ID: 24adbb7ee0f5c745b4b5aa77ba8a9e9ea513760a5aa18a55bffe4b9d7be5f6d8
                                                                                                                                                                                                  • Instruction ID: a8bc8f6eb9a9f3828b60a769c91cb1155856269f8034f55e149238233ede4a9b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 24adbb7ee0f5c745b4b5aa77ba8a9e9ea513760a5aa18a55bffe4b9d7be5f6d8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C9B1B071A44226BBDB119BA4CC81FAE7775BB25730F200752F522AA7D0DB70EE00D792
                                                                                                                                                                                                  Function 00ADA72C Relevance: 45.8, APIs: 11, Strings: 15, Instructions: 297COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,00AF7968,000000FF,?,?,?), ref: 00ADA7F3
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 00ADA818
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 00ADA838
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 00ADA854
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 00ADA87C
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 00ADA898
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 00ADA8D1
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 00ADA90A
                                                                                                                                                                                                    • Part of subcall function 00ADA375: SysFreeString.OLEAUT32(00000000), ref: 00ADA4AE
                                                                                                                                                                                                    • Part of subcall function 00ADA375: SysFreeString.OLEAUT32(00000000), ref: 00ADA4ED
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADA98E
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADAA3E
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: String$Compare$Free
                                                                                                                                                                                                  • String ID: ($author$c:\agent\_work\36\s\wix\src\libs\dutil\atomutil.cpp$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
                                                                                                                                                                                                  • API String ID: 318886736-4028550536
                                                                                                                                                                                                  • Opcode ID: a7908902adda26f23a5e739dcb6b251c648b32b33c7050515085a55f34c2a4f9
                                                                                                                                                                                                  • Instruction ID: 56f9ada019dea74aa21059aa40a7e47acc3d11222e7b886297c7414598212e9b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a7908902adda26f23a5e739dcb6b251c648b32b33c7050515085a55f34c2a4f9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 79A1A17194421ABFDB209B94CD41FADB774BB24770F200356F526AA2E0D770EE50DB92
                                                                                                                                                                                                  Function 00AA7195 Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 228filepipesleepCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,00000000,?,?,00000000,753DB390,?,00A96205,?,00ADE500), ref: 00AA71B6
                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,00A96205,?,00ADE500), ref: 00AA71C1
                                                                                                                                                                                                  • SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,00A96205,?,00ADE500), ref: 00AA71F8
                                                                                                                                                                                                  • ConnectNamedPipe.KERNEL32(?,00000000,?,00A96205,?,00ADE500), ref: 00AA720D
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A96205,?,00ADE500), ref: 00AA7217
                                                                                                                                                                                                  • Sleep.KERNEL32(00000064,?,00A96205,?,00ADE500), ref: 00AA724C
                                                                                                                                                                                                  • SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,00A96205,?,00ADE500), ref: 00AA726F
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,00A96205,?,00ADE500), ref: 00AA728A
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,00A96205,00ADE500,00000000,00000000,?,00A96205,?,00ADE500), ref: 00AA72A5
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,00A96205,?,00ADE500), ref: 00AA72C0
                                                                                                                                                                                                  • ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,?,00A96205,?,00ADE500), ref: 00AA72DB
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A96205,?,00ADE500), ref: 00AA7336
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A96205,?,00ADE500), ref: 00AA736A
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A96205,?,00ADE500), ref: 00AA739E
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A96205,?,00ADE500), ref: 00AA73D2
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A96205,?,00ADE500), ref: 00AA7403
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A96205,?,00ADE500), ref: 00AA7434
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
                                                                                                                                                                                                  • String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp$crypt32.dll
                                                                                                                                                                                                  • API String ID: 2944378912-1623437160
                                                                                                                                                                                                  • Opcode ID: 37cef9bd70b3e7e62b5e316928b27ba127265525dadc7eeb8928a3c5ce603d2e
                                                                                                                                                                                                  • Instruction ID: 4618916f98bdfa8e518fcb8f649be80eff2649543eca3840dac79791988d5709
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 37cef9bd70b3e7e62b5e316928b27ba127265525dadc7eeb8928a3c5ce603d2e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F61A272E85236BBDB20D7A58D45BAFBAA86F05B10F124526BD01FF1C0E7749D0186F0
                                                                                                                                                                                                  Function 00A9C111 Relevance: 44.1, APIs: 8, Strings: 17, Instructions: 311registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A9C155
                                                                                                                                                                                                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A9C17D
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 00A9C47C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get expand environment string., xrefs: 00A9C3EA
                                                                                                                                                                                                  • Unsupported registry key value type. Type = '%u', xrefs: 00A9C30F
                                                                                                                                                                                                  • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00A9C21F
                                                                                                                                                                                                  • Failed to open registry key., xrefs: 00A9C1F0
                                                                                                                                                                                                  • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 00A9C454
                                                                                                                                                                                                  • Failed to allocate string buffer., xrefs: 00A9C370
                                                                                                                                                                                                  • Failed to query registry key value., xrefs: 00A9C2E1
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\search.cpp, xrefs: 00A9C24D, 00A9C282, 00A9C2D5, 00A9C3DE
                                                                                                                                                                                                  • Failed to allocate memory registry value., xrefs: 00A9C28C
                                                                                                                                                                                                  • Failed to format value string., xrefs: 00A9C18A
                                                                                                                                                                                                  • Failed to change value type., xrefs: 00A9C420, 00A9C443
                                                                                                                                                                                                  • Failed to format key string., xrefs: 00A9C162
                                                                                                                                                                                                  • Failed to set variable., xrefs: 00A9C43E
                                                                                                                                                                                                  • Failed to query registry key value size., xrefs: 00A9C259
                                                                                                                                                                                                  • Failed to clear variable., xrefs: 00A9C1DB
                                                                                                                                                                                                  • Failed to read registry value., xrefs: 00A9C405
                                                                                                                                                                                                  • Registry key not found. Key = '%ls', xrefs: 00A9C1B5
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Open@16$Close
                                                                                                                                                                                                  • String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$c:\agent\_work\36\s\wix\src\burn\engine\search.cpp
                                                                                                                                                                                                  • API String ID: 2348241696-1030985318
                                                                                                                                                                                                  • Opcode ID: 1d110f9180f49e3ef29bad007ac61db104ab71abde8c6e70a95c13f79c7098f0
                                                                                                                                                                                                  • Instruction ID: 6ffe69fd38f213e0bc8bbc6ef5ebdb757ff975187c16a2833a9c204068e09f45
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d110f9180f49e3ef29bad007ac61db104ab71abde8c6e70a95c13f79c7098f0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5FA1A672F40935BBDF119BA8CD45AFEBAF9AB08720F108511F901FA251D6719E009BD1
                                                                                                                                                                                                  Function 00A97430 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 477stringCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000100,00000000,?,00A9C5C6,00000100,000002C0,000002C0,00000100), ref: 00A97455
                                                                                                                                                                                                  • lstrlenW.KERNEL32(000002C0,?,00A9C5C6,00000100,000002C0,000002C0,00000100), ref: 00A9745F
                                                                                                                                                                                                  • _wcschr.LIBVCRUNTIME ref: 00A97664
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,00A9C5C6,00000100,000002C0,000002C0,00000100), ref: 00A97907
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave_wcschrlstrlen
                                                                                                                                                                                                  • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp
                                                                                                                                                                                                  • API String ID: 1026845265-424859304
                                                                                                                                                                                                  • Opcode ID: 7b004d3113a9ed8a86ff0c520339b042737bf687db73ff351c6e1ce4ff79550f
                                                                                                                                                                                                  • Instruction ID: 6d2f218e69d0c72204a513078224565ef120c8cf77f637e0762d9f33fe2da57f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7b004d3113a9ed8a86ff0c520339b042737bf687db73ff351c6e1ce4ff79550f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D9F1B072F14229BBCF11DFA58941EAF7BF8EF44B50F15852AB901AB240D7749A40CBB0
                                                                                                                                                                                                  Function 00ABE984 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 239synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,00ABF04F,?,?,?), ref: 00ABE9CA
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00ABF04F,?,?,?), ref: 00ABE9D7
                                                                                                                                                                                                  • ReleaseMutex.KERNEL32(?), ref: 00ABEC3F
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
                                                                                                                                                                                                  • String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$c:\agent\_work\36\s\wix\src\burn\engine\netfxchainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
                                                                                                                                                                                                  • API String ID: 3944734951-2347003636
                                                                                                                                                                                                  • Opcode ID: bf12ffec84e9fb669f4b8c71225d24441a1c5a4c0cd7c89000ec007cd1c726a5
                                                                                                                                                                                                  • Instruction ID: 9b038fde801b89f73448b74752b0de304cbcd5fd72dfe21b4c53ae18f039841b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bf12ffec84e9fb669f4b8c71225d24441a1c5a4c0cd7c89000ec007cd1c726a5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AC81E376A81726BBCB21DBA8CD49EEABAF8BF14750F014655FD05AB242D770DD0086E0
                                                                                                                                                                                                  Function 00AA0733 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 230COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00AD7952: VariantInit.OLEAUT32(?), ref: 00AD7968
                                                                                                                                                                                                    • Part of subcall function 00AD7952: SysAllocString.OLEAUT32(?), ref: 00AD7984
                                                                                                                                                                                                    • Part of subcall function 00AD7952: VariantClear.OLEAUT32(?), ref: 00AD7A0B
                                                                                                                                                                                                    • Part of subcall function 00AD7952: SysFreeString.OLEAUT32(00000000), ref: 00AD7A16
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,00ADFD50,?,?,Action,?,?,?,00000000,00A9710B), ref: 00AA0804
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 00AA084E
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Detect, xrefs: 00AA07F5
                                                                                                                                                                                                  • comres.dll, xrefs: 00AA0817
                                                                                                                                                                                                  • cabinet.dll, xrefs: 00AA08AB
                                                                                                                                                                                                  • Patch, xrefs: 00AA08CE
                                                                                                                                                                                                  • RelatedBundle, xrefs: 00AA0741
                                                                                                                                                                                                  • Failed to resize Addon code array in registration, xrefs: 00AA092D
                                                                                                                                                                                                  • Failed to resize Upgrade code array in registration, xrefs: 00AA0926
                                                                                                                                                                                                  • Failed to get RelatedBundle element count., xrefs: 00AA0788
                                                                                                                                                                                                  • Upgrade, xrefs: 00AA0841
                                                                                                                                                                                                  • Invalid value for @Action: %ls, xrefs: 00AA0943
                                                                                                                                                                                                  • Failed to get next RelatedBundle element., xrefs: 00AA0961
                                                                                                                                                                                                  • Failed to get @Action., xrefs: 00AA095A
                                                                                                                                                                                                  • Failed to resize Detect code array in registration, xrefs: 00AA091F
                                                                                                                                                                                                  • Failed to resize Patch code array in registration, xrefs: 00AA0934
                                                                                                                                                                                                  • Addon, xrefs: 00AA088B
                                                                                                                                                                                                  • Failed to get @Id., xrefs: 00AA0953
                                                                                                                                                                                                  • version.dll, xrefs: 00AA0861
                                                                                                                                                                                                  • Failed to get RelatedBundle nodes, xrefs: 00AA0763
                                                                                                                                                                                                  • Action, xrefs: 00AA07C1
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: String$CompareVariant$AllocClearFreeInit
                                                                                                                                                                                                  • String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
                                                                                                                                                                                                  • API String ID: 702752599-259800149
                                                                                                                                                                                                  • Opcode ID: eb1628749b4723a2c5870f8b684cdb7e902254fc35c15ff871af05f85752b7ac
                                                                                                                                                                                                  • Instruction ID: 39b3fca81330dcf986906e2dad1cbde516f2503d0256f0dbd4bdd91af83fd970
                                                                                                                                                                                                  • Opcode Fuzzy Hash: eb1628749b4723a2c5870f8b684cdb7e902254fc35c15ff871af05f85752b7ac
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8871BE71E05A26BBDB10DF64CD81EAEB7B4BF05724F204255E921BB6C1D770AE11CB80
                                                                                                                                                                                                  Function 00AA63A0 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 184fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,00AA68B3,00ADE4E8,?,feclient.dll,00000000,?,?), ref: 00AA63B7
                                                                                                                                                                                                  • ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,00AA68B3,00ADE4E8,?,feclient.dll,00000000,?,?), ref: 00AA63D8
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AA68B3,00ADE4E8,?,feclient.dll,00000000,?,?), ref: 00AA63DE
                                                                                                                                                                                                  • ReadFile.KERNEL32(feclient.dll,00000000,00ADE518,?,00000000,00000000,00ADE519,?,00AA68B3,00ADE4E8,?,feclient.dll,00000000,?,?), ref: 00AA646C
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AA68B3,00ADE4E8,?,feclient.dll,00000000,?,?), ref: 00AA6472
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastRead$CurrentProcess
                                                                                                                                                                                                  • String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp$feclient.dll$msasn1.dll
                                                                                                                                                                                                  • API String ID: 1233551569-2778284747
                                                                                                                                                                                                  • Opcode ID: 4a32c63219ba4f55aabe7b71423ecc36a106cf88e4aa19a21b48909380a33eb8
                                                                                                                                                                                                  • Instruction ID: c128f458e22f583253a2d7f0c2a908923a92a87b186db31b180a81e873ce7063
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a32c63219ba4f55aabe7b71423ecc36a106cf88e4aa19a21b48909380a33eb8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4251E673E81226B7DB21DB958D85F7EB678AF05B10F190256BE01BB1C0D774CD019AE1
                                                                                                                                                                                                  Function 00AB43C0 Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 144COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: StringVariant$AllocClearFreeInit
                                                                                                                                                                                                  • String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
                                                                                                                                                                                                  • API String ID: 760788290-1911311241
                                                                                                                                                                                                  • Opcode ID: f6a46907d322475852c4776e5f28f7cc057713c0e0d7a41cc483171fd7130f8d
                                                                                                                                                                                                  • Instruction ID: 5ef41c6e5f2c29d5443a3bb8e72babeb9f8998997a34b7768dbe95f94a58a4d1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f6a46907d322475852c4776e5f28f7cc057713c0e0d7a41cc483171fd7130f8d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C41DA72A88B76B7DB2196698C52FFE766CBB18720F200721F925B62C3D765ED104290
                                                                                                                                                                                                  Function 00A9AC7C Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 430COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetStringTypeW.KERNEL32(00000001,5600AE0E,00000001,?,00A9B648,?,00000000,00000000,?,?,00A9B630,?,?,00000000,?), ref: 00A9ACBA
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 00A9ADA2
                                                                                                                                                                                                  • Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 00A9B08A
                                                                                                                                                                                                  • AND, xrefs: 00A9AFC6
                                                                                                                                                                                                  • Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 00A9B112
                                                                                                                                                                                                  • Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 00A9AEE8
                                                                                                                                                                                                  • Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 00A9AE6C
                                                                                                                                                                                                  • NOT, xrefs: 00A9AFE5
                                                                                                                                                                                                  • -, xrefs: 00A9AE22
                                                                                                                                                                                                  • Failed to set symbol value., xrefs: 00A9AD6A
                                                                                                                                                                                                  • Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 00A9B0CE
                                                                                                                                                                                                  • Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 00A9AF4C
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\condition.cpp, xrefs: 00A9AD8E, 00A9AE58, 00A9AED4, 00A9AF38, 00A9B076, 00A9B0BA, 00A9B0FE
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: StringType
                                                                                                                                                                                                  • String ID: -$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$c:\agent\_work\36\s\wix\src\burn\engine\condition.cpp
                                                                                                                                                                                                  • API String ID: 4177115715-1774165349
                                                                                                                                                                                                  • Opcode ID: 0df2ab3cdad293a9e860448254d1cf9bafbce1bedf4d472788c62a04e9bba624
                                                                                                                                                                                                  • Instruction ID: 1c8ebf1ecc01441bdb43c92192d793317807d7ccd9a2dc5e5c03a31bf60e7e44
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0df2ab3cdad293a9e860448254d1cf9bafbce1bedf4d472788c62a04e9bba624
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 75F1DDB1710215FBDF288F54DA99BAA7BF4FB04700F20460AF9059E681D3B5DA90CBE1
                                                                                                                                                                                                  Function 00AB377B Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 211COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 00AB3882
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 00AB38A0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareHeapString$AllocateProcess
                                                                                                                                                                                                  • String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$c:\agent\_work\36\s\wix\src\burn\engine\exeengine.cpp$error$forceReboot$scheduleReboot$success
                                                                                                                                                                                                  • API String ID: 2664528157-1728831734
                                                                                                                                                                                                  • Opcode ID: 95697c5dd0748641ce67684d6b9883334d018d42a373a0208cecee7552fba950
                                                                                                                                                                                                  • Instruction ID: 5531622259f132c35fe2ef7bb2fec814b29b9bf860247dcb04df7bbc4d3c4274
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95697c5dd0748641ce67684d6b9883334d018d42a373a0208cecee7552fba950
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2261E576A04226BBCF10DB95CC51EAEBBB8AF40720F204655F425BB2D2DBB19F00D750
                                                                                                                                                                                                  Function 00AA87FA Relevance: 33.6, APIs: 6, Strings: 13, Instructions: 355synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A9F19E: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00AA8C6F,000000B8,00000000,?,00000000,753DB390), ref: 00A9F1AD
                                                                                                                                                                                                    • Part of subcall function 00A9F19E: LeaveCriticalSection.KERNEL32(000000D0,?,00AA8C6F,000000B8,00000000,?,00000000,753DB390), ref: 00A9F1D0
                                                                                                                                                                                                  • ReleaseMutex.KERNEL32(00000000,?,00000000,crypt32.dll,00000000,00000001,00000000), ref: 00AA8BBE
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00AA8BC7
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00000000,crypt32.dll,00000000,00000001,00000000), ref: 00AA8BE7
                                                                                                                                                                                                    • Part of subcall function 00ABD81F: SetThreadExecutionState.KERNEL32(80000001), ref: 00ABD824
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • comres.dll, xrefs: 00AA8C0D
                                                                                                                                                                                                  • crypt32.dll, xrefs: 00AA88FE
                                                                                                                                                                                                  • Another per-machine setup is already executing., xrefs: 00AA8A00
                                                                                                                                                                                                  • Failed to set initial apply variables., xrefs: 00AA8936
                                                                                                                                                                                                  • Failed to register bundle., xrefs: 00AA8A23
                                                                                                                                                                                                  • UX aborted apply begin., xrefs: 00AA88CC
                                                                                                                                                                                                  • Failed to cache engine to working directory., xrefs: 00AA89A0
                                                                                                                                                                                                  • Failed to elevate., xrefs: 00AA89C6
                                                                                                                                                                                                  • Failed while caching, aborting execution., xrefs: 00AA8AC5
                                                                                                                                                                                                  • Another per-user setup is already executing., xrefs: 00AA890C
                                                                                                                                                                                                  • Failed to create cache thread., xrefs: 00AA8A9D
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\core.cpp, xrefs: 00AA88C2, 00AA8A93
                                                                                                                                                                                                  • Engine cannot start apply because it is busy with another action., xrefs: 00AA885B
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCriticalHandleSection$EnterExecutionLeaveMutexReleaseStateThread
                                                                                                                                                                                                  • String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$c:\agent\_work\36\s\wix\src\burn\engine\core.cpp$comres.dll$crypt32.dll
                                                                                                                                                                                                  • API String ID: 303827279-3583512883
                                                                                                                                                                                                  • Opcode ID: f5659ac12f4c8abda630325f7ad709e88c95aa64ceb217b81a2d6d03300d0407
                                                                                                                                                                                                  • Instruction ID: f272b11944c6546a0f711c5a1bbdfd52c085b53c6e38c53c91f810343eefa78a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f5659ac12f4c8abda630325f7ad709e88c95aa64ceb217b81a2d6d03300d0407
                                                                                                                                                                                                  • Instruction Fuzzy Hash: ECC19FB1901215AFCF159FA4C985BEE77A8BF05341F04417AFD09AB286EF389940CBA5
                                                                                                                                                                                                  Function 00ADB745 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 308COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,00000410), ref: 00ADB772
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 00ADB78D
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 00ADB830
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,000002D8,00ADE518,00000000), ref: 00ADB86F
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 00ADB8C2
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,00ADE518,000000FF,true,000000FF), ref: 00ADB8E0
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 00ADB918
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 00ADBA5C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                                                  • String ID: application$c:\agent\_work\36\s\wix\src\libs\dutil\apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
                                                                                                                                                                                                  • API String ID: 1825529933-3613382904
                                                                                                                                                                                                  • Opcode ID: b409b88e65b971f2ad954d5c774b04aebd4be3c6d5953823865382475a02d264
                                                                                                                                                                                                  • Instruction ID: 51f6f855aa538c97159c26ec94ab7199302b2039db8484024aa66993a885632d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b409b88e65b971f2ad954d5c774b04aebd4be3c6d5953823865382475a02d264
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90B19E31650206EFDB10CF58CC85F5A77B5BB44720F62861AF926AB3E1DB70E901CB64
                                                                                                                                                                                                  Function 00ADAE12 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 205COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 00ADAE72
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 00ADAE97
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 00ADAEB7
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 00ADAEEA
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 00ADAF06
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADAF31
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADAFA8
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADAFF4
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: String$Compare$Free
                                                                                                                                                                                                  • String ID: comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
                                                                                                                                                                                                  • API String ID: 318886736-3944986760
                                                                                                                                                                                                  • Opcode ID: 39d9c1af52d0b8308a45cc49db9981cf7b98e636e15d4f542df60f1b7fe090ed
                                                                                                                                                                                                  • Instruction ID: 44e322acb6af4e466b961cc2134c48d00167ff5a82a591df5061f5432fc4b6bb
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 39d9c1af52d0b8308a45cc49db9981cf7b98e636e15d4f542df60f1b7fe090ed
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 12614176904129FBCB15DB94CC45EAEB7B9BF18720F2046A6F522A7290D730AE40DB51
                                                                                                                                                                                                  Function 00AB0050 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 145registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00AAFF39: LoadBitmapW.USER32(?,00000001), ref: 00AAFF6F
                                                                                                                                                                                                    • Part of subcall function 00AAFF39: GetLastError.KERNEL32 ref: 00AAFF7B
                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00AB00B1
                                                                                                                                                                                                  • RegisterClassW.USER32(?), ref: 00AB00C5
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AB00D0
                                                                                                                                                                                                  • UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 00AB01D5
                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00AB01E4
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
                                                                                                                                                                                                  • String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$c:\agent\_work\36\s\wix\src\burn\engine\splashscreen.cpp
                                                                                                                                                                                                  • API String ID: 164797020-2801829539
                                                                                                                                                                                                  • Opcode ID: b37d06e777308bca1f2268e92cb3c9a457c4c2614512d6d950b0cf0316d7de83
                                                                                                                                                                                                  • Instruction ID: 330bdae9c4a616fee215b1cd0ba6b991f8a5ea391e678468375423606991dccd
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b37d06e777308bca1f2268e92cb3c9a457c4c2614512d6d950b0cf0316d7de83
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0641857690121ABFEB11EBE8ED49EEFBB78BF04710F100626F911AE191D7709D018A91
                                                                                                                                                                                                  Function 00ABB936 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 232threadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WaitForMultipleObjects.KERNEL32(00000001,00ABD79F,00000000,000000FF,00000001,00000000,00000000,00ABD79F,00000001,?), ref: 00ABB99B
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00ABBB0B
                                                                                                                                                                                                  • GetExitCodeThread.KERNEL32(?,00000001), ref: 00ABBB4B
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00ABBB55
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to wait for cache check-point., xrefs: 00ABBB3C
                                                                                                                                                                                                  • Cache thread exited unexpectedly., xrefs: 00ABBB9C
                                                                                                                                                                                                  • Failed to get cache thread exit code., xrefs: 00ABBB86
                                                                                                                                                                                                  • Failed to execute package provider registration action., xrefs: 00ABBA6C
                                                                                                                                                                                                  • Invalid execute action., xrefs: 00ABBBAB
                                                                                                                                                                                                  • Failed to execute EXE package., xrefs: 00ABB9D2
                                                                                                                                                                                                  • Failed to load compatible package on per-machine package., xrefs: 00ABBAB1
                                                                                                                                                                                                  • Failed to execute MSP package., xrefs: 00ABBA20
                                                                                                                                                                                                  • Failed to execute MSU package., xrefs: 00ABBA50
                                                                                                                                                                                                  • Failed to execute compatible package action., xrefs: 00ABBAC8
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\apply.cpp, xrefs: 00ABBB32, 00ABBB7C
                                                                                                                                                                                                  • Failed to execute dependency action., xrefs: 00ABBA8B
                                                                                                                                                                                                  • Failed to execute MSI package., xrefs: 00ABB9FB
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
                                                                                                                                                                                                  • String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$c:\agent\_work\36\s\wix\src\burn\engine\apply.cpp
                                                                                                                                                                                                  • API String ID: 3703294532-2334309227
                                                                                                                                                                                                  • Opcode ID: cfb55efcf6b436de9b9ad65a5bc367ac4cd6e665dd7c6b126fc4918acb93b3bf
                                                                                                                                                                                                  • Instruction ID: 15f5e0a17cabb8d6ddb55d2062925470293e54ceab8742d4ae415336dceb16c5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cfb55efcf6b436de9b9ad65a5bc367ac4cd6e665dd7c6b126fc4918acb93b3bf
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7A714A71E51269EFDB10DFA4C941AFE7BBCEB04750B20459AF905EB252D3B09E019BA0
                                                                                                                                                                                                  Function 00AA0EF2 Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 182registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00AD8144: GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00AD8193
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,00AE4178,00020006,00000000,?,00000000,00000000,00000000,?,00000000,00000001,00000000,00000000), ref: 00AA1122
                                                                                                                                                                                                    • Part of subcall function 00A95D42: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,00AA0F6F,00AE4178,Resume,00000005,?,00000000,00000000,00000000), ref: 00A95D57
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to delete resume command line value., xrefs: 00AA10FE
                                                                                                                                                                                                  • Failed to format resume command line for RunOnce., xrefs: 00AA0FDB
                                                                                                                                                                                                  • Failed to write run key value., xrefs: 00AA101D
                                                                                                                                                                                                  • Failed to create run key., xrefs: 00AA0FFF
                                                                                                                                                                                                  • burn.runonce, xrefs: 00AA0FBC
                                                                                                                                                                                                  • BundleResumeCommandLine, xrefs: 00AA102A, 00AA10BD
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\registration.cpp, xrefs: 00AA10A6, 00AA10F4
                                                                                                                                                                                                  • Failed to delete run key value., xrefs: 00AA10B0
                                                                                                                                                                                                  • Resume, xrefs: 00AA0F64
                                                                                                                                                                                                  • Installed, xrefs: 00AA0F87
                                                                                                                                                                                                  • Failed to write Installed value., xrefs: 00AA0F98
                                                                                                                                                                                                  • Failed to write Resume value., xrefs: 00AA0F75
                                                                                                                                                                                                  • "%ls" /%ls, xrefs: 00AA0FC7
                                                                                                                                                                                                  • Failed to write resume command line value., xrefs: 00AA103F
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseValueVersion
                                                                                                                                                                                                  • String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$burn.runonce$c:\agent\_work\36\s\wix\src\burn\engine\registration.cpp
                                                                                                                                                                                                  • API String ID: 2348918689-901852637
                                                                                                                                                                                                  • Opcode ID: 33ff665eab81540ac84a96939ff640b171d1973bb885f1c26c8bab5fea0ecac4
                                                                                                                                                                                                  • Instruction ID: 465ec406aaa96c6ae9ceb4876f41636ff0e37c6556f2badbde1e83a1553686d4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 33ff665eab81540ac84a96939ff640b171d1973bb885f1c26c8bab5fea0ecac4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A512832E80666BFCF21ABA5CD46FAE7AB4BB02715F014629BA01B71C1D7758E5097C0
                                                                                                                                                                                                  Function 00ABE796 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 173processCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(76F88FB0,00000000,00000000), ref: 00ABE7A2
                                                                                                                                                                                                    • Part of subcall function 00AA6A52: UuidCreate.RPCRT4(?), ref: 00AA6A85
                                                                                                                                                                                                  • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,00AB3FC7,?,?,00000000,?,?,?), ref: 00ABE880
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 00ABE88A
                                                                                                                                                                                                  • GetProcessId.KERNEL32(00AB3FC7,?,?,00000000,?,?,?,?), ref: 00ABE8C2
                                                                                                                                                                                                    • Part of subcall function 00AA7195: lstrlenW.KERNEL32(?,?,00000000,?,?,00000000,753DB390,?,00A96205,?,00ADE500), ref: 00AA71B6
                                                                                                                                                                                                    • Part of subcall function 00AA7195: GetCurrentProcessId.KERNEL32(?,00A96205,?,00ADE500), ref: 00AA71C1
                                                                                                                                                                                                    • Part of subcall function 00AA7195: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,00A96205,?,00ADE500), ref: 00AA71F8
                                                                                                                                                                                                    • Part of subcall function 00AA7195: ConnectNamedPipe.KERNEL32(?,00000000,?,00A96205,?,00ADE500), ref: 00AA720D
                                                                                                                                                                                                    • Part of subcall function 00AA7195: GetLastError.KERNEL32(?,00A96205,?,00ADE500), ref: 00AA7217
                                                                                                                                                                                                    • Part of subcall function 00AA7195: Sleep.KERNEL32(00000064,?,00A96205,?,00ADE500), ref: 00AA724C
                                                                                                                                                                                                    • Part of subcall function 00AA7195: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,00A96205,?,00ADE500), ref: 00AA726F
                                                                                                                                                                                                    • Part of subcall function 00AA7195: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,00A96205,?,00ADE500), ref: 00AA728A
                                                                                                                                                                                                    • Part of subcall function 00AA7195: WriteFile.KERNEL32(?,00A96205,00ADE500,00000000,00000000,?,00A96205,?,00ADE500), ref: 00AA72A5
                                                                                                                                                                                                    • Part of subcall function 00AA7195: WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,00A96205,?,00ADE500), ref: 00AA72C0
                                                                                                                                                                                                    • Part of subcall function 00AD5C34: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,00A96BE6,?,000000FF,?,?,?,?,?,00000000,?,?,?), ref: 00AD5C40
                                                                                                                                                                                                    • Part of subcall function 00AD5C34: GetLastError.KERNEL32(?,00A96BE6,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00AD5C4E
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,00ABE6F6,?,?,?,?,?,00000000,?,?,?,?), ref: 00ABE946
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,00ABE6F6,?,?,?,?,?,00000000,?,?,?,?), ref: 00ABE955
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,00ABE6F6,?,?,?,?,?,00000000,?,?,?), ref: 00ABE96C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to allocate embedded command., xrefs: 00ABE859
                                                                                                                                                                                                  • Failed to wait for embedded executable: %ls, xrefs: 00ABE929
                                                                                                                                                                                                  • Failed to process messages from embedded message., xrefs: 00ABE909
                                                                                                                                                                                                  • %ls -%ls %ls %ls %u, xrefs: 00ABE845
                                                                                                                                                                                                  • Failed to wait for embedded process to connect to pipe., xrefs: 00ABE8E4
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\embedded.cpp, xrefs: 00ABE8AB
                                                                                                                                                                                                  • Failed to create embedded pipe name and client token., xrefs: 00ABE805
                                                                                                                                                                                                  • burn.embedded, xrefs: 00ABE83D
                                                                                                                                                                                                  • Failed to create embedded pipe., xrefs: 00ABE82C
                                                                                                                                                                                                  • Failed to create embedded process at path: %ls, xrefs: 00ABE8B8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
                                                                                                                                                                                                  • String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$c:\agent\_work\36\s\wix\src\burn\engine\embedded.cpp
                                                                                                                                                                                                  • API String ID: 875070380-1383948357
                                                                                                                                                                                                  • Opcode ID: 08e557509c0cc73165dd5e49780e6a0162e87a632655e522448aa47088a6dfd2
                                                                                                                                                                                                  • Instruction ID: 78ea9bf8beec3056316cab14e9b2289f082ad422956998fbcf73f22559720ed7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 08e557509c0cc73165dd5e49780e6a0162e87a632655e522448aa47088a6dfd2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 94516F72D4162DBBDF11EBE4CD46BEEBBB8BF04750F100125FA01B6191D7719A049B90
                                                                                                                                                                                                  Function 00ADB58F Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,?,00ADBA79,00000001,?), ref: 00ADB5AF
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,00ADBA79,00000001,?), ref: 00ADB5CA
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,00ADBA79,00000001,?), ref: 00ADB5E5
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,00ADBA79,00000001,?), ref: 00ADB651
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,00ADBA79,00000001,?), ref: 00ADB675
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,00ADBA79,00000001,?), ref: 00ADB699
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,00ADBA79,00000001,?), ref: 00ADB6B9
                                                                                                                                                                                                  • lstrlenW.KERNEL32(006C0064,?,00ADBA79,00000001,?), ref: 00ADB6D4
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareString$lstrlen
                                                                                                                                                                                                  • String ID: algorithm$c:\agent\_work\36\s\wix\src\libs\dutil\apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
                                                                                                                                                                                                  • API String ID: 1657112622-2972972347
                                                                                                                                                                                                  • Opcode ID: 635b8e1b044108ef8addb76b4836ffe52782258b587056952488906c8bd95919
                                                                                                                                                                                                  • Instruction ID: c7fcd271ed23729299d5d3efc4e523044e09b21f78eb20a31970afbf6145eaf2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 635b8e1b044108ef8addb76b4836ffe52782258b587056952488906c8bd95919
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3451B171658212FBDB209F94CC82F657A61BB21B30F214716F636AE3E5C7B0E851C7A0
                                                                                                                                                                                                  Function 00A9BD3B Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 214COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A9BDB3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Open@16
                                                                                                                                                                                                  • String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
                                                                                                                                                                                                  • API String ID: 3613110473-2134270738
                                                                                                                                                                                                  • Opcode ID: 1eef035a7ffd8a114367c0c63317d1fd016f0a35d011054da9e91695639c8227
                                                                                                                                                                                                  • Instruction ID: c1117f6ce6bbd924409208b0910293dbc45c62d45ce6f3336c87b8c514f79da3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1eef035a7ffd8a114367c0c63317d1fd016f0a35d011054da9e91695639c8227
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E161A032A60218BBCF119AA9DF46EEE7BF8AB04710F104156F501AA291D772DF009BA0
                                                                                                                                                                                                  Function 00AA09AD Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 172COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00AA0B3B
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00AA0AF3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Path, xrefs: 00AA0AA1
                                                                                                                                                                                                  • Filename, xrefs: 00AA0A6E
                                                                                                                                                                                                  • Failed to get @Regid., xrefs: 00AA0B8C
                                                                                                                                                                                                  • Regid, xrefs: 00AA0A89
                                                                                                                                                                                                  • Failed to get @Path., xrefs: 00AA0B82
                                                                                                                                                                                                  • Failed to allocate memory for software tag structs., xrefs: 00AA0A3A
                                                                                                                                                                                                  • Failed to get next node., xrefs: 00AA0BA0
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\registration.cpp, xrefs: 00AA0A30
                                                                                                                                                                                                  • SoftwareTag, xrefs: 00AA09BC
                                                                                                                                                                                                  • Failed to get SoftwareTag text., xrefs: 00AA0B78
                                                                                                                                                                                                  • Failed to select software tag nodes., xrefs: 00AA09DD
                                                                                                                                                                                                  • Failed to get @Filename., xrefs: 00AA0B96
                                                                                                                                                                                                  • Failed to convert SoftwareTag text to UTF-8, xrefs: 00AA0B6E
                                                                                                                                                                                                  • Failed to get software tag count., xrefs: 00AA0A02
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeHeapString$AllocateProcess
                                                                                                                                                                                                  • String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$c:\agent\_work\36\s\wix\src\burn\engine\registration.cpp
                                                                                                                                                                                                  • API String ID: 336948655-1250689526
                                                                                                                                                                                                  • Opcode ID: ecd55ffe786a137391cdb4e7d324f5974d35bac6be832459dc93965a94a0bafa
                                                                                                                                                                                                  • Instruction ID: 7e9f3c7bc8a6bd94fdde1fea044031fb41dfee837945ab848be49c4793b89723
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ecd55ffe786a137391cdb4e7d324f5974d35bac6be832459dc93965a94a0bafa
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D251C631E01319BFDB15DFA5C992EAEB7B8BF05B54F114569F806AB281D770DD008B60
                                                                                                                                                                                                  Function 00AA67E8 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 157sleepfileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 00AA6842
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AA6850
                                                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00AA6874
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateErrorFileLastSleep
                                                                                                                                                                                                  • String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp$feclient.dll
                                                                                                                                                                                                  • API String ID: 408151869-710124979
                                                                                                                                                                                                  • Opcode ID: 21a0229934fce28a433191874cb27e6527d0d4a1a50ef745efc17a073e4d0324
                                                                                                                                                                                                  • Instruction ID: 412f8974f41f4ee6033bd684bf81695ffb9a205e71968b0cab87491cd715c180
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 21a0229934fce28a433191874cb27e6527d0d4a1a50ef745efc17a073e4d0324
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D414836D81632BBDB2157A4CD06B5EBBA8AF15720F290321FD01BB2D0D7799D009ED1
                                                                                                                                                                                                  Function 00AA1263 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 151registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00AA21B0,InstallerVersion,InstallerVersion,00000000,00AA21B0,InstallerName,InstallerName,00000000,00AA21B0,Date,InstalledDate,00000000,00AA21B0,LogonUser), ref: 00AA1411
                                                                                                                                                                                                    • Part of subcall function 00A95D90: RegSetValueExW.ADVAPI32(00020006,00AE4178,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,00AA1017,00000000,?,00020006), ref: 00A95DC3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseValue
                                                                                                                                                                                                  • String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
                                                                                                                                                                                                  • API String ID: 3132538880-2703781546
                                                                                                                                                                                                  • Opcode ID: a1bb94c0553d4fcf623009dc77b95cc42f8af1cba5ab951c06e63c2eb98d1a3f
                                                                                                                                                                                                  • Instruction ID: 9a18c0e7f18a76666f161fbfc630206231fe1c0334b35d1d3601cdd9cfc73382
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1bb94c0553d4fcf623009dc77b95cc42f8af1cba5ab951c06e63c2eb98d1a3f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B41E532E41F61BBCF135A65DE02E6E7A75FB12B15F154560F802BF290D7619E00A7E0
                                                                                                                                                                                                  Function 00AB0436 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 134registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • TlsSetValue.KERNEL32(?,?), ref: 00AB047C
                                                                                                                                                                                                  • RegisterClassW.USER32(?), ref: 00AB04A8
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AB04B3
                                                                                                                                                                                                  • CreateWindowExW.USER32(00000080,00AED4EC,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 00AB051A
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AB0524
                                                                                                                                                                                                  • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 00AB05C2
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
                                                                                                                                                                                                  • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$c:\agent\_work\36\s\wix\src\burn\engine\uithread.cpp
                                                                                                                                                                                                  • API String ID: 213125376-1648313654
                                                                                                                                                                                                  • Opcode ID: 260e3c35a65be68a0815531654b3ac51dcdc64a6a50cc2857dd3867018ab90e1
                                                                                                                                                                                                  • Instruction ID: d86e4ae5fc3f2f06f18d864521a6dab14dc6193bc8b7d8cfd95e88160f682e32
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 260e3c35a65be68a0815531654b3ac51dcdc64a6a50cc2857dd3867018ab90e1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE419372A01225BBDB20DBA5DC48EDFBFB8FF04750F108226F906AF151D731A9418BA0
                                                                                                                                                                                                  Function 00ABE285 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 271COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to copy download source for passthrough pseudo bundle., xrefs: 00ABE4A0
                                                                                                                                                                                                  • Failed to copy key for passthrough pseudo bundle., xrefs: 00ABE499
                                                                                                                                                                                                  • Failed to copy local source path for passthrough pseudo bundle., xrefs: 00ABE4C8
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\pseudobundle.cpp, xrefs: 00ABE2B9, 00ABE4B2, 00ABE4EC
                                                                                                                                                                                                  • Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 00ABE2C5
                                                                                                                                                                                                  • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 00ABE4F8
                                                                                                                                                                                                  • Failed to copy related arguments for passthrough bundle package, xrefs: 00ABE593
                                                                                                                                                                                                  • Failed to copy filename for passthrough pseudo bundle., xrefs: 00ABE4CF
                                                                                                                                                                                                  • Failed to copy install arguments for passthrough bundle package, xrefs: 00ABE573
                                                                                                                                                                                                  • Failed to recreate command-line arguments., xrefs: 00ABE554
                                                                                                                                                                                                  • Failed to copy uninstall arguments for passthrough bundle package, xrefs: 00ABE5BD
                                                                                                                                                                                                  • Failed to allocate memory for pseudo bundle payload hash., xrefs: 00ABE4BE
                                                                                                                                                                                                  • Failed to copy key for passthrough pseudo bundle payload., xrefs: 00ABE4D6
                                                                                                                                                                                                  • Failed to copy cache id for passthrough pseudo bundle., xrefs: 00ABE516
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$AllocateProcess
                                                                                                                                                                                                  • String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$c:\agent\_work\36\s\wix\src\burn\engine\pseudobundle.cpp
                                                                                                                                                                                                  • API String ID: 1357844191-1162945257
                                                                                                                                                                                                  • Opcode ID: 2908b4c291bd3c57e05d247ebd17f6ddc35e7de086de21bd9b22a8552446d23d
                                                                                                                                                                                                  • Instruction ID: edda12648f0acf0ccc33ec380600f52e6f831121b1a935be29c2396031c06e8a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2908b4c291bd3c57e05d247ebd17f6ddc35e7de086de21bd9b22a8552446d23d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 49B14875A00616EFCB11CF68C981F99BBF9BB08710F118265F9149B362D771E960DB90
                                                                                                                                                                                                  Function 00ABF91D Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 203stringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,00000000,00000000,?), ref: 00ABF938
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to download BITS job., xrefs: 00ABFACF
                                                                                                                                                                                                  • Falied to start BITS job., xrefs: 00ABFAF0
                                                                                                                                                                                                  • Failed to initialize BITS job callback., xrefs: 00ABFA59
                                                                                                                                                                                                  • Failed to set callback interface for BITS job., xrefs: 00ABFA70
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\bitsengine.cpp, xrefs: 00ABF94E, 00ABFA41
                                                                                                                                                                                                  • Failed to set credentials for BITS job., xrefs: 00ABF9E6
                                                                                                                                                                                                  • Failed to create BITS job callback., xrefs: 00ABFA4B
                                                                                                                                                                                                  • Invalid BITS engine URL: %ls, xrefs: 00ABF95A
                                                                                                                                                                                                  • Failed to add file to BITS job., xrefs: 00ABFA05
                                                                                                                                                                                                  • Failed to complete BITS job., xrefs: 00ABFAE2
                                                                                                                                                                                                  • Failed to copy download URL., xrefs: 00ABF97F
                                                                                                                                                                                                  • Failed while waiting for BITS download., xrefs: 00ABFAE9
                                                                                                                                                                                                  • Failed to create BITS job., xrefs: 00ABF9C7
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: lstrlen
                                                                                                                                                                                                  • String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$c:\agent\_work\36\s\wix\src\burn\engine\bitsengine.cpp
                                                                                                                                                                                                  • API String ID: 1659193697-1195738540
                                                                                                                                                                                                  • Opcode ID: 19ad7359be8da64c47493dc434ddf9a0e9350dc9638957b1f4054e559850f856
                                                                                                                                                                                                  • Instruction ID: edb09957f1a03da0919730c05ce0f5cb53fabc4bc77b5924ba1fce4051e40739
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 19ad7359be8da64c47493dc434ddf9a0e9350dc9638957b1f4054e559850f856
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3951F931A01226FFCB119F94CD85EEE7BB8AF08750B294169FD09AF252DB70DD009B90
                                                                                                                                                                                                  Function 00A9D99B Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 189processCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A9D9ED
                                                                                                                                                                                                  • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 00A9DAFA
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?), ref: 00A9DB04
                                                                                                                                                                                                  • WaitForInputIdle.USER32(?,?), ref: 00A9DB58
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?), ref: 00A9DBA3
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?), ref: 00A9DBB0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
                                                                                                                                                                                                  • String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$c:\agent\_work\36\s\wix\src\burn\engine\approvedexe.cpp
                                                                                                                                                                                                  • API String ID: 155678114-2698392196
                                                                                                                                                                                                  • Opcode ID: eb5722e1d68bea76eb62815c5482547f651f91416e9effde1f67de1c7ef4d074
                                                                                                                                                                                                  • Instruction ID: 1cf6e8f4099d6e2087ade38c4fe205c0fa7a932c41a73c7ff82b7236d8a294ce
                                                                                                                                                                                                  • Opcode Fuzzy Hash: eb5722e1d68bea76eb62815c5482547f651f91416e9effde1f67de1c7ef4d074
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB517E72E0026ABBCF11AFE5CD81DAEBBF9BF04340F114565FA14B6160D7319E909B91
                                                                                                                                                                                                  Function 00AB8564 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 152serviceCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,00AB8AB3,?), ref: 00AB859D
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00AB8AB3,?,?,?), ref: 00AB85AA
                                                                                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,00AB8AB3,?,?,?), ref: 00AB85F2
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00AB8AB3,?,?,?), ref: 00AB85FE
                                                                                                                                                                                                  • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,00AB8AB3,?,?,?), ref: 00AB8638
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00AB8AB3,?,?,?), ref: 00AB8642
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00AB86F9
                                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(?), ref: 00AB8703
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • wuauserv, xrefs: 00AB85EC
                                                                                                                                                                                                  • Failed to read configuration for WU service., xrefs: 00AB86A9
                                                                                                                                                                                                  • Failed to open service control manager., xrefs: 00AB85D8
                                                                                                                                                                                                  • Failed to open WU service., xrefs: 00AB862C
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\msuengine.cpp, xrefs: 00AB85CE, 00AB8622, 00AB8666
                                                                                                                                                                                                  • Failed to mark WU service to start on demand., xrefs: 00AB86CA
                                                                                                                                                                                                  • Failed to query status of WU service., xrefs: 00AB8670
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
                                                                                                                                                                                                  • String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$c:\agent\_work\36\s\wix\src\burn\engine\msuengine.cpp$wuauserv
                                                                                                                                                                                                  • API String ID: 971853308-293086557
                                                                                                                                                                                                  • Opcode ID: d8bc303cd5ecd2b8af9c59ee10e29e1eb7d8d1dcf543eed88eb9700fe11a0d11
                                                                                                                                                                                                  • Instruction ID: 726f338e8559b52fa500bd29e6c8c9327be897caeb67dff6e5868b5755ca060b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d8bc303cd5ecd2b8af9c59ee10e29e1eb7d8d1dcf543eed88eb9700fe11a0d11
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B641A476A41329ABD721DBAC8D55AEEB7ECAB14710F014625FD01BB242DE78DC00CAA4
                                                                                                                                                                                                  Function 00A9CF14 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 137COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,00A9D807,00000008,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9CF1C
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A9D807,00000008,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A9CF28
                                                                                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 00A9CFD0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorHandleLastModule_memcmp
                                                                                                                                                                                                  • String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$c:\agent\_work\36\s\wix\src\burn\engine\section.cpp
                                                                                                                                                                                                  • API String ID: 3888311042-704495842
                                                                                                                                                                                                  • Opcode ID: 55daaea783ed8f378eeec0b6ebe606bd1bd2614f33e94786fc974c5a43ea09b9
                                                                                                                                                                                                  • Instruction ID: e8dfb5680678a231d704d22442a4625d7bc4e9971ec1f70f873170c4d8feee8e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 55daaea783ed8f378eeec0b6ebe606bd1bd2614f33e94786fc974c5a43ea09b9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DD416C323C0720B7CF202A169D82F2636E5AF41B30F25455AFA075F2C1DAB9C94387E9
                                                                                                                                                                                                  Function 00A9BF86 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 140registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A9BFAE
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000100,00000000,000002C0,?,00000001,00000000,00000000,?,00000000,?,000002C0,000002C0,?,00000000,00000000), ref: 00A9C102
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to format key string., xrefs: 00A9BFB9
                                                                                                                                                                                                  • Failed to set variable., xrefs: 00A9C0C5
                                                                                                                                                                                                  • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00A9C09D
                                                                                                                                                                                                  • Failed to open registry key. Key = '%ls', xrefs: 00A9C003
                                                                                                                                                                                                  • RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 00A9C0DA
                                                                                                                                                                                                  • Registry key not found. Key = '%ls', xrefs: 00A9BFEF
                                                                                                                                                                                                  • Failed to query registry key value., xrefs: 00A9C090
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\search.cpp, xrefs: 00A9C086
                                                                                                                                                                                                  • Failed to format value string., xrefs: 00A9C03A
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseOpen@16
                                                                                                                                                                                                  • String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$c:\agent\_work\36\s\wix\src\burn\engine\search.cpp
                                                                                                                                                                                                  • API String ID: 1561904661-3193761781
                                                                                                                                                                                                  • Opcode ID: 7ed704531a3edac79c2c49272c9ff3e62d87cb3fc5128374e24b49999e80e871
                                                                                                                                                                                                  • Instruction ID: 634e15ad72fab289a1520ce899e445b2b7d300f633574a1e5df4f3769872ab7a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ed704531a3edac79c2c49272c9ff3e62d87cb3fc5128374e24b49999e80e871
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9741C477E40524FBCF12ABA9CD06EAE7AF5FF44720F114151F805FA152D6719E109B90
                                                                                                                                                                                                  Function 00A9863C Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 137libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 00A9868C
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A98696
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 00A986D9
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A986E3
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000000,?), ref: 00A9880C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                  • String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp$ntdll
                                                                                                                                                                                                  • API String ID: 3057421322-2900135847
                                                                                                                                                                                                  • Opcode ID: 673518c917b96524ad69129ebcb42759028ec983d60d7307c859fc6841c98d1f
                                                                                                                                                                                                  • Instruction ID: 0d5f2c04b31e9937d598a7eaabec94e82f2ea306918bc84f67d24454dd97ba68
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 673518c917b96524ad69129ebcb42759028ec983d60d7307c859fc6841c98d1f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E841EA72E412389BDF21DBA9CD45BEA77F4BB09710F110196E945FA140DB788E80CE90
                                                                                                                                                                                                  Function 00A965BF Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 129memorysynchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,00A9712C,?,?,?,?), ref: 00A965F0
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00A9712C,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A96601
                                                                                                                                                                                                  • ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A9673E
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00A9712C,?,?,?,?,?,?,?,?,?,?,?), ref: 00A96747
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to connect to unelevated process., xrefs: 00A965E6
                                                                                                                                                                                                  • comres.dll, xrefs: 00A966AD
                                                                                                                                                                                                  • Failed to allocate thread local storage for logging., xrefs: 00A9662F
                                                                                                                                                                                                  • Failed to pump messages from parent process., xrefs: 00A96712
                                                                                                                                                                                                  • Failed to set elevated pipe into thread local storage for logging., xrefs: 00A96678
                                                                                                                                                                                                  • Failed to create the message window., xrefs: 00A9669C
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp, xrefs: 00A96625, 00A9666E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AllocCloseErrorHandleLastMutexRelease
                                                                                                                                                                                                  • String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp$comres.dll
                                                                                                                                                                                                  • API String ID: 687263955-1221171404
                                                                                                                                                                                                  • Opcode ID: 4a16af951d53680349b09fd580a9a71d544ece8cc2c5d9297c1e6cfc14667e8c
                                                                                                                                                                                                  • Instruction ID: 9f330bc59e1fa9128f75b7bb37767c1ef2838ab4442f661e5b1cdfdefdaf41a8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a16af951d53680349b09fd580a9a71d544ece8cc2c5d9297c1e6cfc14667e8c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E417172B41625BBCB15ABE4CD89EDBB7ACBF05750F010727BA06E6141EB70A91096E0
                                                                                                                                                                                                  Function 00AA580F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 129COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 00AA5863
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 00AA586D
                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 00AA58D6
                                                                                                                                                                                                  • ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 00AA58DD
                                                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000000,?,?,?,?,?,7FFFFFFF,?,?,?,?,?,00000000,crypt32.dll), ref: 00AA5967
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • crypt32.dll, xrefs: 00AA5822
                                                                                                                                                                                                  • Failed to get temp folder., xrefs: 00AA589B
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\logging.cpp, xrefs: 00AA5891
                                                                                                                                                                                                  • Failed to format session id as a string., xrefs: 00AA590B
                                                                                                                                                                                                  • Failed to copy temp folder., xrefs: 00AA5990
                                                                                                                                                                                                  • Failed to get length of temp folder., xrefs: 00AA58C7
                                                                                                                                                                                                  • %u\, xrefs: 00AA58F7
                                                                                                                                                                                                  • Failed to get length of session id string., xrefs: 00AA5932
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Process$CompareCurrentErrorLastPathSessionStringTemp
                                                                                                                                                                                                  • String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$c:\agent\_work\36\s\wix\src\burn\engine\logging.cpp$crypt32.dll
                                                                                                                                                                                                  • API String ID: 2407829081-770007671
                                                                                                                                                                                                  • Opcode ID: 94bee694fc939c45e66cf52c57bf16b771f8593604ede29dd1710eb75f5eb68a
                                                                                                                                                                                                  • Instruction ID: b2d75fca975d257b16d95711aa2d339f17215c9792b3c11d55649410d327f586
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 94bee694fc939c45e66cf52c57bf16b771f8593604ede29dd1710eb75f5eb68a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5241E472E8163DABCB209B60CD49FDE77B8AB15720F110291F909BB190DB709E808F94
                                                                                                                                                                                                  Function 00A99CDF Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 215COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 00A99CFC
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00A99F24
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to write variable name., xrefs: 00A99F0B
                                                                                                                                                                                                  • Failed to write variable count., xrefs: 00A99D17
                                                                                                                                                                                                  • Failed to get version., xrefs: 00A99ED5
                                                                                                                                                                                                  • Failed to get numeric., xrefs: 00A99EF6
                                                                                                                                                                                                  • Failed to get string., xrefs: 00A99EEF
                                                                                                                                                                                                  • Unsupported variable type., xrefs: 00A99EE1
                                                                                                                                                                                                  • Failed to write variable value type., xrefs: 00A99F04
                                                                                                                                                                                                  • Failed to write literal flag., xrefs: 00A99EFD
                                                                                                                                                                                                  • Failed to write variable value as string., xrefs: 00A99EE8
                                                                                                                                                                                                  • Failed to write included flag., xrefs: 00A99F12
                                                                                                                                                                                                  • Failed to write variable value as number., xrefs: 00A99ECE
                                                                                                                                                                                                  • feclient.dll, xrefs: 00A99DD7, 00A99E2D, 00A99E6E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                  • String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
                                                                                                                                                                                                  • API String ID: 3168844106-2118673349
                                                                                                                                                                                                  • Opcode ID: 74f0215bcccad52bcc9d99975879f5fd36615a195fe7ec16211627316c46aa43
                                                                                                                                                                                                  • Instruction ID: f89aee44ef7c38dd41129cbca3c6fc3ccf7262a64c0aa029fe77c36ff702cf47
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74f0215bcccad52bcc9d99975879f5fd36615a195fe7ec16211627316c46aa43
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91717032A0472ABBCF22DFADC981AAFBBF8BB04750F10415AF905A7251D770DD509B90
                                                                                                                                                                                                  Function 00AAB40F Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 123fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,00AAC540,?,00000000,00000000,00000000,?), ref: 00AAB42A
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AAC540,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00AAB43A
                                                                                                                                                                                                    • Part of subcall function 00A937ED: Sleep.KERNEL32(?,00000000,?,00AAA24E,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00A96A86), ref: 00A93804
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000001,00000003,000007D0,00000000,00000000), ref: 00AAB546
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 00AAB45E
                                                                                                                                                                                                  • Failed to move %ls to %ls, xrefs: 00AAB51E
                                                                                                                                                                                                  • Copying, xrefs: 00AAB4E5, 00AAB4F0
                                                                                                                                                                                                  • Failed to open payload in working path: %ls, xrefs: 00AAB469
                                                                                                                                                                                                  • Moving, xrefs: 00AAB4DC
                                                                                                                                                                                                  • Failed to verify payload hash: %ls, xrefs: 00AAB4D2
                                                                                                                                                                                                  • %ls payload from working path '%ls' to path '%ls', xrefs: 00AAB4F1
                                                                                                                                                                                                  • Failed to copy %ls to %ls, xrefs: 00AAB534
                                                                                                                                                                                                  • Failed to verify payload signature: %ls, xrefs: 00AAB495
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCreateErrorFileHandleLastSleep
                                                                                                                                                                                                  • String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp
                                                                                                                                                                                                  • API String ID: 1275171361-2817023027
                                                                                                                                                                                                  • Opcode ID: cd602687a75ddd1c1128dbc9e3e94e8b5768fca660fab5cc901a66d9e4defbd5
                                                                                                                                                                                                  • Instruction ID: 8917e084fe05ccd1820ff0879d5880f57a034c6514e716f339d76efb49eb3770
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cd602687a75ddd1c1128dbc9e3e94e8b5768fca660fab5cc901a66d9e4defbd5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF313372E916717BC63226168C46F6B3A2CEF56B60F024206FD027B2C3D761AD0086F2
                                                                                                                                                                                                  Function 00A982B9 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 117COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000), ref: 00A982F5
                                                                                                                                                                                                    • Part of subcall function 00AD5CD2: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00A97B69,00000000), ref: 00AD5CE7
                                                                                                                                                                                                    • Part of subcall function 00AD5CD2: GetProcAddress.KERNEL32(00000000), ref: 00AD5CEE
                                                                                                                                                                                                    • Part of subcall function 00AD5CD2: GetLastError.KERNEL32(?,?,?,?,00A97B69,00000000), ref: 00AD5D09
                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00A98321
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A9832F
                                                                                                                                                                                                  • GetSystemWow64DirectoryW.KERNEL32(?,00000104,00000000), ref: 00A98367
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A98371
                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00A983B4
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A983BE
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to backslash terminate system folder., xrefs: 00A98401
                                                                                                                                                                                                  • Failed to get 32-bit system folder., xrefs: 00A9839F
                                                                                                                                                                                                  • Failed to set system folder variant value., xrefs: 00A9841D
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp, xrefs: 00A98353, 00A98395
                                                                                                                                                                                                  • Failed to get 64-bit system folder., xrefs: 00A9835D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$DirectorySystem$AddressCurrentHandleModuleProcProcessWow64
                                                                                                                                                                                                  • String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp
                                                                                                                                                                                                  • API String ID: 325818893-1386230865
                                                                                                                                                                                                  • Opcode ID: 743a4abffe4e7dd6a8bf2c1bb56150bd1c91965094f1384b5105f42ce72dabdc
                                                                                                                                                                                                  • Instruction ID: 45bc2f0663dc1e25066491aba413f2b825551f57e1b468bb50c0571c1007f9dc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 743a4abffe4e7dd6a8bf2c1bb56150bd1c91965094f1384b5105f42ce72dabdc
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D131F536F82235A7DF20A7A5CD4DB9B77E8AF11B10F014256BD05FF181EA789D408AE1
                                                                                                                                                                                                  Function 00AA5C5A Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 225sleepCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00AA5764: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000000,?,?,?,?,00AA5C74,feclient.dll,?,00000000,?,?,?,00A967E0), ref: 00AA5805
                                                                                                                                                                                                  • Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00A967E0,?,?,00ADE488,?,00000001,00000000,00000000), ref: 00AA5D0B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseSleep
                                                                                                                                                                                                  • String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
                                                                                                                                                                                                  • API String ID: 2834455192-2673269691
                                                                                                                                                                                                  • Opcode ID: b80c03cb2b64f7bcb7834f9f817d6f369cf9e68eaac8ea054bb595f364109b93
                                                                                                                                                                                                  • Instruction ID: e4a8b515328d394c5eff63085b1b7e34054757c881effee3354d5356b33476d4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b80c03cb2b64f7bcb7834f9f817d6f369cf9e68eaac8ea054bb595f364109b93
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8261AE71E00B66BBDF229F78CD46B6A7BA8EF16350B144525F802DB2D0EB71ED408794
                                                                                                                                                                                                  Function 00A98AC0 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 164COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,00A97083,00000000,00A9710B,00000000,?,00A99FEE,?,?,?,00000000,00000000), ref: 00A98ACF
                                                                                                                                                                                                    • Part of subcall function 00A9736B: CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00A9828E,00A9828E,?,00A97301,?,?,00000000), ref: 00A973A7
                                                                                                                                                                                                    • Part of subcall function 00A9736B: GetLastError.KERNEL32(?,00A97301,?,?,00000000,?,?,00A9828E,?,00A99C40,?,?,?,?,?), ref: 00A973D6
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000000,?,?,00000000,00000000,00000000), ref: 00A98C5F
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Attempt to set built-in variable value: %ls, xrefs: 00A98B5D
                                                                                                                                                                                                  • Setting hidden variable '%ls', xrefs: 00A98B8D
                                                                                                                                                                                                  • Failed to set value of variable: %ls, xrefs: 00A98C47
                                                                                                                                                                                                  • Setting numeric variable '%ls' to value %lld, xrefs: 00A98C00
                                                                                                                                                                                                  • Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00A98BD4
                                                                                                                                                                                                  • Unsetting variable '%ls', xrefs: 00A98BE8, 00A98C1B
                                                                                                                                                                                                  • Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00A98C71
                                                                                                                                                                                                  • Failed to insert variable '%ls'., xrefs: 00A98B14
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp, xrefs: 00A98B52
                                                                                                                                                                                                  • Setting string variable '%ls' to value '%ls', xrefs: 00A98BEF, 00A98BF7
                                                                                                                                                                                                  • Failed to find variable value '%ls'., xrefs: 00A98AEA
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$CompareEnterErrorLastLeaveString
                                                                                                                                                                                                  • String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp
                                                                                                                                                                                                  • API String ID: 2716280545-4241350583
                                                                                                                                                                                                  • Opcode ID: 2b7f05142f5a7c5eef124464eee1f90a2b269c79e5c08d4f04f6c0147c8326d9
                                                                                                                                                                                                  • Instruction ID: d4abf25adee82a0208542e58ae7feda0e570d3fcea688bfc25d53f551b716c57
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b7f05142f5a7c5eef124464eee1f90a2b269c79e5c08d4f04f6c0147c8326d9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4551E3B2B41221EBDF20AF19CD4AF7B37E8EB56710F14051AF8029A282D67CDD41D6A0
                                                                                                                                                                                                  Function 00AA494D Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 298COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,00200064,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00AA49BB
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • crypt32.dll, xrefs: 00AA4A06, 00AA4B00, 00AA4BF5, 00AA4C6A
                                                                                                                                                                                                  • Failed to create the string dictionary., xrefs: 00AA49F4
                                                                                                                                                                                                  • Failed to add dependents ignored from command-line., xrefs: 00AA4A70
                                                                                                                                                                                                  • Failed to add dependent bundle provider key to ignore dependents., xrefs: 00AA4B25
                                                                                                                                                                                                  • Failed to allocate registration action., xrefs: 00AA4A24
                                                                                                                                                                                                  • Failed to check for remaining dependents during planning., xrefs: 00AA4B61
                                                                                                                                                                                                  • Failed to add self-dependent to ignore dependents., xrefs: 00AA4A3F
                                                                                                                                                                                                  • Failed to add registration action for self dependent., xrefs: 00AA4C88
                                                                                                                                                                                                  • wininet.dll, xrefs: 00AA4C08
                                                                                                                                                                                                  • Failed to add registration action for dependent related bundle., xrefs: 00AA4CBD
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                                                  • String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
                                                                                                                                                                                                  • API String ID: 1825529933-1705955799
                                                                                                                                                                                                  • Opcode ID: 9f32e0d4e1cdff2ac9059147f0898d0fcd5566859e7101933dadc959a58b5da8
                                                                                                                                                                                                  • Instruction ID: 2152fc0c5d595c7f5a134ab980be0025dd4f15fce2ce9683b7b95ea5281448d3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f32e0d4e1cdff2ac9059147f0898d0fcd5566859e7101933dadc959a58b5da8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 84B1C271A01315EFCF15DF68C941BAEBBB5BF8A310F008169F819AB291D7B1D960CB91
                                                                                                                                                                                                  Function 00AB156E Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 186COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00AB15AA
                                                                                                                                                                                                  • UuidCreate.RPCRT4(?), ref: 00AB168D
                                                                                                                                                                                                  • StringFromGUID2.OLE32(?,?,00000027), ref: 00AB16AE
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?), ref: 00AB1757
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • update\%ls, xrefs: 00AB1606
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 00AB16C3
                                                                                                                                                                                                  • Failed to recreate command-line for update bundle., xrefs: 00AB1675
                                                                                                                                                                                                  • Failed to convert bundle update guid into string., xrefs: 00AB16CD
                                                                                                                                                                                                  • Failed to default local update source, xrefs: 00AB161A
                                                                                                                                                                                                  • Failed to set update bundle., xrefs: 00AB1731
                                                                                                                                                                                                  • Failed to create bundle update guid., xrefs: 00AB169A
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$CreateEnterFromLeaveStringUuid
                                                                                                                                                                                                  • String ID: Failed to convert bundle update guid into string.$Failed to create bundle update guid.$Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp$update\%ls
                                                                                                                                                                                                  • API String ID: 171215650-2475470284
                                                                                                                                                                                                  • Opcode ID: 11160d158bfcd3031832ecc5dc78ee3ae332e2a6a5ccbb4f72e83d72217f2ede
                                                                                                                                                                                                  • Instruction ID: 4659812b8e405330959a4ca2424703d52f53d16c490c51f0c155f2c6a825118d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 11160d158bfcd3031832ecc5dc78ee3ae332e2a6a5ccbb4f72e83d72217f2ede
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F519B31A00219ABCF21DFA5C9A5EEEBBB9FF08710F554269F909AB152D7309C50CF90
                                                                                                                                                                                                  Function 00A967B3 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 143windowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • IsWindow.USER32(?), ref: 00A96932
                                                                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A96943
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to open log., xrefs: 00A967E6
                                                                                                                                                                                                  • WixBundleLayoutDirectory, xrefs: 00A968C3
                                                                                                                                                                                                  • Failed while running , xrefs: 00A968F8
                                                                                                                                                                                                  • Failed to query registration., xrefs: 00A9687C
                                                                                                                                                                                                  • Failed to set registration variables., xrefs: 00A968AC
                                                                                                                                                                                                  • Failed to check global conditions, xrefs: 00A96817
                                                                                                                                                                                                  • Failed to set action variables., xrefs: 00A96892
                                                                                                                                                                                                  • Failed to set layout directory variable to value provided from command-line., xrefs: 00A968D4
                                                                                                                                                                                                  • Failed to create the message window., xrefs: 00A96866
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: MessagePostWindow
                                                                                                                                                                                                  • String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
                                                                                                                                                                                                  • API String ID: 3618638489-3051724725
                                                                                                                                                                                                  • Opcode ID: 944537c11bf407ea68d2989f08f93b4e95cf5ffd26a9c9155c0dc54c68ca625e
                                                                                                                                                                                                  • Instruction ID: 67bb5d37b36c9b5a106f4e4c34a8352b8cadafb0c277aad8ff96ce94bc4e1893
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 944537c11bf407ea68d2989f08f93b4e95cf5ffd26a9c9155c0dc54c68ca625e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B41E671740626BBDF26AB64CD45FABB6ECFF04750F008236B906AA240DB70ED1497E0
                                                                                                                                                                                                  Function 00AB0CC3 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 124COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 00AB0CE0
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00AB0E0D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to copy the arguments., xrefs: 00AB0D9F
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 00AB0DEE
                                                                                                                                                                                                  • Engine is active, cannot change engine state., xrefs: 00AB0CFB
                                                                                                                                                                                                  • Failed to post launch approved exe message., xrefs: 00AB0DF8
                                                                                                                                                                                                  • UX requested unknown approved exe with id: %ls, xrefs: 00AB0D40
                                                                                                                                                                                                  • Failed to copy the id., xrefs: 00AB0D72
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalHeapSection$AllocateEnterLeaveProcess
                                                                                                                                                                                                  • String ID: Engine is active, cannot change engine state.$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls$c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp
                                                                                                                                                                                                  • API String ID: 1367039788-2512400743
                                                                                                                                                                                                  • Opcode ID: 167ce70469d30feba6c6aa942864b96b4b3f4fd27b53314ffa0dfce1f3a3e3fc
                                                                                                                                                                                                  • Instruction ID: d8dab405244e6e531dbc22035f166c0ad2b50d643c5f27c0371734a79b221799
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 167ce70469d30feba6c6aa942864b96b4b3f4fd27b53314ffa0dfce1f3a3e3fc
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7431A236A41665AFCB11DBA4DC45EAB37ECAF10760B018915FD05EF292E670ED0087E0
                                                                                                                                                                                                  Function 00AAB2FA Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 102fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,00AAC4D3,?,00000000,00000000,00000000,?), ref: 00AAB315
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AAC4D3,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00AAB323
                                                                                                                                                                                                    • Part of subcall function 00A937ED: Sleep.KERNEL32(?,00000000,?,00AAA24E,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00A96A86), ref: 00A93804
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000001,00000003,000007D0,00000000,00000000), ref: 00AAB401
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 00AAB347
                                                                                                                                                                                                  • Failed to move %ls to %ls, xrefs: 00AAB3D9
                                                                                                                                                                                                  • Failed to open container in working path: %ls, xrefs: 00AAB352
                                                                                                                                                                                                  • Copying, xrefs: 00AAB3A0, 00AAB3AB
                                                                                                                                                                                                  • Moving, xrefs: 00AAB397
                                                                                                                                                                                                  • %ls container from working path '%ls' to path '%ls', xrefs: 00AAB3AC
                                                                                                                                                                                                  • Failed to verify container hash: %ls, xrefs: 00AAB384
                                                                                                                                                                                                  • Failed to copy %ls to %ls, xrefs: 00AAB3EF
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCreateErrorFileHandleLastSleep
                                                                                                                                                                                                  • String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp
                                                                                                                                                                                                  • API String ID: 1275171361-3235902153
                                                                                                                                                                                                  • Opcode ID: 0fb6bbf6a0d22a123c9ac9398321a7a65ce4a451290b2dbfc0fa1ca8b40698b3
                                                                                                                                                                                                  • Instruction ID: 70536aa0760f4f0442e2e160456f67ed8a1e612b4aa31fb4c026b1dbc951c73d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0fb6bbf6a0d22a123c9ac9398321a7a65ce4a451290b2dbfc0fa1ca8b40698b3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B213132A80B657BDA2266268C86F2B362CDF12B60F020115FD057F2C2D7A2AC1185F2
                                                                                                                                                                                                  Function 00A98C89 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 226COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00A98CB6
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00A98EC2
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to set variable value., xrefs: 00A98E75
                                                                                                                                                                                                  • Failed to set variable., xrefs: 00A98E96
                                                                                                                                                                                                  • Failed to read variable value as number., xrefs: 00A98E7C
                                                                                                                                                                                                  • Failed to read variable value as string., xrefs: 00A98E8F
                                                                                                                                                                                                  • Unsupported variable type., xrefs: 00A98E88
                                                                                                                                                                                                  • Failed to read variable count., xrefs: 00A98CD6
                                                                                                                                                                                                  • Failed to read variable value type., xrefs: 00A98EA4
                                                                                                                                                                                                  • Failed to read variable included flag., xrefs: 00A98EB2
                                                                                                                                                                                                  • Failed to read variable name., xrefs: 00A98EAB
                                                                                                                                                                                                  • Failed to read variable literal flag., xrefs: 00A98E9D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                  • String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
                                                                                                                                                                                                  • API String ID: 3168844106-528957463
                                                                                                                                                                                                  • Opcode ID: ee908d5455e54bfbc2aefc2a472b780319adc277402ee3211df553a24922d83a
                                                                                                                                                                                                  • Instruction ID: fbe9679bc6b55ba2f145e923d1c64769676eb3904f900ac8208a2f880a96578c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ee908d5455e54bfbc2aefc2a472b780319adc277402ee3211df553a24922d83a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D716D32E0125ABBCF12DFA5DD55EAFBBF8EF05750F104112B901A6190DB78DE509BA0
                                                                                                                                                                                                  Function 00A93BBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 251fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 00A93C38
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A93C4E
                                                                                                                                                                                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 00A93C9E
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A93CA8
                                                                                                                                                                                                  • SetFilePointer.KERNEL32(00000000,?,?,00000001), ref: 00A93CFC
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A93D07
                                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00000001), ref: 00A93DF6
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00A93E69
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$ErrorLast$CloseCreateHandlePointerReadSize
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                                                                                                                                                                                  • API String ID: 3286166115-1339450348
                                                                                                                                                                                                  • Opcode ID: 0c86ddfdbd18fe7c8085f27d27615fd2d5c6469ecebcb4a1f47bb313594aa1bc
                                                                                                                                                                                                  • Instruction ID: a61fe3a7c8748be48aad54388ba0062ed2656970a61d96fa92d2b64a91de46b0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c86ddfdbd18fe7c8085f27d27615fd2d5c6469ecebcb4a1f47bb313594aa1bc
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F581B033B40626ABDF219F698D45B6F76F8AB40760F21462AFD15FF280E674CE008791
                                                                                                                                                                                                  Function 00A94AE7 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 209COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000040,00000000,00000000), ref: 00A94B32
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A94B38
                                                                                                                                                                                                  • ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000000), ref: 00A94B92
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A94B98
                                                                                                                                                                                                  • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A94C4C
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A94C56
                                                                                                                                                                                                  • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A94CAC
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A94CB6
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\pathutil.cpp, xrefs: 00A94B5C
                                                                                                                                                                                                  • @, xrefs: 00A94B0C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
                                                                                                                                                                                                  • String ID: @$c:\agent\_work\36\s\wix\src\libs\dutil\pathutil.cpp
                                                                                                                                                                                                  • API String ID: 1547313835-2795764142
                                                                                                                                                                                                  • Opcode ID: fb7fcf91ba660780e278dfeca3a8305ede6a202c6d512e57786bdefd1708719b
                                                                                                                                                                                                  • Instruction ID: f24d432ee8d3183635c94575588a594e805a65dd43dcace16032d16911dd0de0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fb7fcf91ba660780e278dfeca3a8305ede6a202c6d512e57786bdefd1708719b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F861A377F01239ABDF21EBA4C984F9EB6F4AB08750F110651EE11BB250E775DE029790
                                                                                                                                                                                                  Function 00AA6A52 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 121COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • UuidCreate.RPCRT4(?), ref: 00AA6A85
                                                                                                                                                                                                  • StringFromGUID2.OLE32(?,?,00000027), ref: 00AA6AB4
                                                                                                                                                                                                  • UuidCreate.RPCRT4(?), ref: 00AA6AFF
                                                                                                                                                                                                  • StringFromGUID2.OLE32(?,?,00000027), ref: 00AA6B2B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • BurnPipe.%s, xrefs: 00AA6AE0
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp, xrefs: 00AA6AC5, 00AA6B12
                                                                                                                                                                                                  • Failed to convert pipe guid into string., xrefs: 00AA6AD1
                                                                                                                                                                                                  • Failed to allocate pipe name., xrefs: 00AA6AF4
                                                                                                                                                                                                  • Failed to create pipe guid., xrefs: 00AA6A92
                                                                                                                                                                                                  • Failed to allocate pipe secret., xrefs: 00AA6B54
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateFromStringUuid
                                                                                                                                                                                                  • String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp
                                                                                                                                                                                                  • API String ID: 4041566446-1910677036
                                                                                                                                                                                                  • Opcode ID: 54185cfa64cf95c34e672bda93b77745635068ab2abe93c3752ef032f6c91930
                                                                                                                                                                                                  • Instruction ID: b05da13b53adadd80c43e720e496e5aadc6bcbb0be84b5ba01eccf420096a150
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54185cfa64cf95c34e672bda93b77745635068ab2abe93c3752ef032f6c91930
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F418B72A40358ABDF10DBE5C945EAEB7F8AB05750F24852AE805FB290D7749A05CF60
                                                                                                                                                                                                  Function 00A97CE8 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 106timeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetSystemTime.KERNEL32(?), ref: 00A97D13
                                                                                                                                                                                                  • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00A97D27
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A97D39
                                                                                                                                                                                                  • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 00A97D8D
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A97D97
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get the required buffer length for the Date., xrefs: 00A97D5E
                                                                                                                                                                                                  • Failed to allocate the buffer for the Date., xrefs: 00A97D75
                                                                                                                                                                                                  • Failed to get the Date., xrefs: 00A97DBC
                                                                                                                                                                                                  • Failed to set variant value., xrefs: 00A97DD5
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp, xrefs: 00A97D54, 00A97DB2
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DateErrorFormatLast$SystemTime
                                                                                                                                                                                                  • String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp
                                                                                                                                                                                                  • API String ID: 2700948981-1392558998
                                                                                                                                                                                                  • Opcode ID: 87cec290b324e371d9536edc472614ca31f7f201ad8f0a0ee4942c75527adbab
                                                                                                                                                                                                  • Instruction ID: 91a50765f88a3e30ec5b96fa3d0c6eec19ee700fe2de7849a4850122a8a98629
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 87cec290b324e371d9536edc472614ca31f7f201ad8f0a0ee4942c75527adbab
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D319532B5462A7BDF11DBE9CD46FBF76F8AF44710F110526BA02FB290E5609D018AB1
                                                                                                                                                                                                  Function 00AB06F8 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100threadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00A97154,?,?), ref: 00AB0718
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A97154,?,?), ref: 00AB0725
                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00AB0436,?,00000000,00000000), ref: 00AB077E
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A97154,?,?), ref: 00AB078B
                                                                                                                                                                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,00A97154,?,?), ref: 00AB07C6
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00A97154,?,?), ref: 00AB07E5
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00A97154,?,?), ref: 00AB07F2
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to create the UI thread., xrefs: 00AB07B6
                                                                                                                                                                                                  • Failed to create initialization event., xrefs: 00AB0750
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\uithread.cpp, xrefs: 00AB0746, 00AB07AC
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                                                                                                                                                                                                  • String ID: Failed to create initialization event.$Failed to create the UI thread.$c:\agent\_work\36\s\wix\src\burn\engine\uithread.cpp
                                                                                                                                                                                                  • API String ID: 2351989216-3815837529
                                                                                                                                                                                                  • Opcode ID: 64a1eb6ccf12784e0b3006029dc7c8a4a368f697ee0008c8604cbcf84a1cc28e
                                                                                                                                                                                                  • Instruction ID: 061580b7df577b9bcc1bb24b73dc68a35c8e3ffed8b037e29a260977ddcce49d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 64a1eb6ccf12784e0b3006029dc7c8a4a368f697ee0008c8604cbcf84a1cc28e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E631A676E41625BBD710DBD98D84EDFFBBCBF04350F114126B905F7281E630AE008AA0
                                                                                                                                                                                                  Function 00AB02CB Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 96threadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,00A97154,?,?), ref: 00AB02EC
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00A97154,?,?), ref: 00AB02F9
                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00AB0050,00000000,00000000,00000000), ref: 00AB0358
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00A97154,?,?), ref: 00AB0365
                                                                                                                                                                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00A97154,?,?), ref: 00AB03A0
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,00A97154,?,?), ref: 00AB03B4
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,00A97154,?,?), ref: 00AB03C1
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to create modal event., xrefs: 00AB0324
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\splashscreen.cpp, xrefs: 00AB031A, 00AB0386
                                                                                                                                                                                                  • Failed to create UI thread., xrefs: 00AB0390
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                                                                                                                                                                                                  • String ID: Failed to create UI thread.$Failed to create modal event.$c:\agent\_work\36\s\wix\src\burn\engine\splashscreen.cpp
                                                                                                                                                                                                  • API String ID: 2351989216-2652401288
                                                                                                                                                                                                  • Opcode ID: 80c178d587b544b10bebc0d8d648f7fab30415481c3b2b0e383221b9f45ebb39
                                                                                                                                                                                                  • Instruction ID: 77ce8dc95ef0138b485630451c2bb8c1a88ee3ea1f5699241eb5ca80bcaa700c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 80c178d587b544b10bebc0d8d648f7fab30415481c3b2b0e383221b9f45ebb39
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 49318176D4122ABBDB11DB99CC49EDFBBF8AB44710F00416AFD11FA241E7748901CAA1
                                                                                                                                                                                                  Function 00AB30B0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 87threadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,76F92F60,?,?), ref: 00AB30D4
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AB30E7
                                                                                                                                                                                                  • GetExitCodeThread.KERNEL32(00ADE488,00000000), ref: 00AB3129
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AB3137
                                                                                                                                                                                                  • ResetEvent.KERNEL32(00ADE460), ref: 00AB3172
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AB317C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to wait for operation complete event., xrefs: 00AB3118
                                                                                                                                                                                                  • Failed to get extraction thread exit code., xrefs: 00AB3168
                                                                                                                                                                                                  • Failed to reset operation complete event., xrefs: 00AB31AD
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00AB310E, 00AB315E, 00AB31A3
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
                                                                                                                                                                                                  • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 2979751695-296692858
                                                                                                                                                                                                  • Opcode ID: b6244d7a89d08952b22ba7a6a89dca21cc9db401cf720cfd060ce49c8a0d8a17
                                                                                                                                                                                                  • Instruction ID: 3b95db6f92cbd3f55379dc9d3fbe8fcd936de1da909f0ee3c121014418837a98
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b6244d7a89d08952b22ba7a6a89dca21cc9db401cf720cfd060ce49c8a0d8a17
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86318271B80216BBEF10DFAADD057EA77FCAB10700F10461AF905EA191E675DB019B21
                                                                                                                                                                                                  Function 00AB31CA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetEvent.KERNEL32(00ADE478,?,00000000,?,00A9DED5,?,00A97083,00000000,?,00AA948E,?,00A97333,00A9713F,00A9713F,00000000,?), ref: 00AB31E7
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A9DED5,?,00A97083,00000000,?,00AA948E,?,00A97333,00A9713F,00A9713F,00000000,?,00A9714F,FFF9E89D,00A9714F), ref: 00AB31F1
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00ADE488,000000FF,?,00A9DED5,?,00A97083,00000000,?,00AA948E,?,00A97333,00A9713F,00A9713F,00000000,?,00A9714F), ref: 00AB322B
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A9DED5,?,00A97083,00000000,?,00AA948E,?,00A97333,00A9713F,00A9713F,00000000,?,00A9714F,FFF9E89D,00A9714F), ref: 00AB3235
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00A9714F,?,00000000,?,00A9DED5,?,00A97083,00000000,?,00AA948E,?,00A97333,00A9713F,00A9713F,00000000), ref: 00AB3280
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00A9714F,?,00000000,?,00A9DED5,?,00A97083,00000000,?,00AA948E,?,00A97333,00A9713F,00A9713F,00000000), ref: 00AB328F
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00A9714F,?,00000000,?,00A9DED5,?,00A97083,00000000,?,00AA948E,?,00A97333,00A9713F,00A9713F,00000000), ref: 00AB329E
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to wait for thread to terminate., xrefs: 00AB3263
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00AB3215, 00AB3259
                                                                                                                                                                                                  • Failed to set begin operation event., xrefs: 00AB321F
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseHandle$ErrorLast$EventObjectSingleWait
                                                                                                                                                                                                  • String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 1206859064-754580096
                                                                                                                                                                                                  • Opcode ID: 82b39a05deb051c5501630229aa9d7da6b5c81bd29699ba47628330b28f574b9
                                                                                                                                                                                                  • Instruction ID: 657abfaaa80fb78ce2869b21ea3447cd82216258193c868bb3593a33121b16a6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 82b39a05deb051c5501630229aa9d7da6b5c81bd29699ba47628330b28f574b9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 69213533A40A32B7DF219BA5CD497D5BBA8BF24721F010325E908299A1E7B4ED50CAD4
                                                                                                                                                                                                  Function 00AD5CD2 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 73libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00A97B69,00000000), ref: 00AD5CE7
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00AD5CEE
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00A97B69,00000000), ref: 00AD5D09
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,?,00A97B69,00000000), ref: 00AD5D4B
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00AD5D52
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00A97B69,00000000), ref: 00AD5D69
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressErrorHandleLastModuleProc
                                                                                                                                                                                                  • String ID: IsWow64Process$IsWow64Process2$c:\agent\_work\36\s\wix\src\libs\dutil\procutil.cpp$kernel32
                                                                                                                                                                                                  • API String ID: 4275029093-3983292617
                                                                                                                                                                                                  • Opcode ID: 3c4b043b9fe9cdb1e285919e3c336c4c0ef5dbec6a94e31df53229af5b52aeb3
                                                                                                                                                                                                  • Instruction ID: 47c701141137c26ecdc856b783cefb4679aadb0a54992bc2ba88203267afc282
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c4b043b9fe9cdb1e285919e3c336c4c0ef5dbec6a94e31df53229af5b52aeb3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D118E76E41A25BB9724EBE49C0DAAA7E65FF11790B014217BD83AB240E670DD00CAE1
                                                                                                                                                                                                  Function 00AA5EAF Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 55COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00AD56CD: EnterCriticalSection.KERNEL32(00AFF764,00000000,?,?,?,00AA5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00A971C0,?), ref: 00AD56DD
                                                                                                                                                                                                    • Part of subcall function 00AD56CD: LeaveCriticalSection.KERNEL32(00AFF764,?,?,00AFF75C,?,00AA5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00A971C0,?), ref: 00AD5824
                                                                                                                                                                                                  • OpenEventLogW.ADVAPI32(00000000,Application), ref: 00AA5ED5
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00AA5EE1
                                                                                                                                                                                                  • ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,00AE6E8C,00000000), ref: 00AA5F2E
                                                                                                                                                                                                  • CloseEventLog.ADVAPI32(00000000), ref: 00AA5F35
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
                                                                                                                                                                                                  • String ID: Application$Failed to open Application event log$Setup$_Failed$c:\agent\_work\36\s\wix\src\burn\engine\logging.cpp$txt
                                                                                                                                                                                                  • API String ID: 1844635321-336267069
                                                                                                                                                                                                  • Opcode ID: 5f8b1d0273b39a1f6d0a401adf5957287886f16906f38e378d31f6a6dbd6581f
                                                                                                                                                                                                  • Instruction ID: 89d43228cf91aced528ef26df1f1b5d490d06faa27a46c858034854664aa900f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5f8b1d0273b39a1f6d0a401adf5957287886f16906f38e378d31f6a6dbd6581f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7F08132A86AB17A52317277AD0AD7F2D6CEA93FA17010915FD12FA1C1DB54880181B5
                                                                                                                                                                                                  Function 00AAB04A Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 232COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 00AAB0FD
                                                                                                                                                                                                  • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 00AAB125
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                                  • String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp
                                                                                                                                                                                                  • API String ID: 1452528299-3709293557
                                                                                                                                                                                                  • Opcode ID: 7a4c29d866e2138b08e12b1192f61c98140e0c2c7f1b098e6571530df077ebdb
                                                                                                                                                                                                  • Instruction ID: 5da9a106374a8114afcd656238480fe90c31cd558321ba0ab2e42d0be8d8f28d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a4c29d866e2138b08e12b1192f61c98140e0c2c7f1b098e6571530df077ebdb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A819476D50229ABDB11DBE5CD41BEEBBF8BF09710F110216E914BB291E7349D448BB0
                                                                                                                                                                                                  Function 00AB01F2 Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EB), ref: 00AB01FD
                                                                                                                                                                                                  • DefWindowProcW.USER32(?,00000082,?,?), ref: 00AB023B
                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00AB0248
                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EB,?), ref: 00AB0257
                                                                                                                                                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 00AB0265
                                                                                                                                                                                                  • CreateCompatibleDC.GDI32(?), ref: 00AB0271
                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00AB0282
                                                                                                                                                                                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00AB02A4
                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00AB02AC
                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00AB02AF
                                                                                                                                                                                                  • PostQuitMessage.USER32(00000000), ref: 00AB02BD
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 409979828-0
                                                                                                                                                                                                  • Opcode ID: f3b198ca3c4d3ce82894421d42d36afb593683e7155bd1ffcb4512feed6eeb3e
                                                                                                                                                                                                  • Instruction ID: 73d65c73e2c6b0aadcb634c29d2097d996ef894d65d94fad59a6bebfd65f6912
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f3b198ca3c4d3ce82894421d42d36afb593683e7155bd1ffcb4512feed6eeb3e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09218C32105214BFDB25AFA8DC4CEBB3F68FB49721B02451AFA169B1B2D6718811DB60
                                                                                                                                                                                                  Function 00AABE28 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 226COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get bundle layout directory property., xrefs: 00AABF80
                                                                                                                                                                                                  • WixBundleLayoutDirectory, xrefs: 00AABF65
                                                                                                                                                                                                  • Failed to combine layout source with source., xrefs: 00AABF9F
                                                                                                                                                                                                  • Failed to get current process directory., xrefs: 00AABEEB
                                                                                                                                                                                                  • Failed to combine last source with source., xrefs: 00AABF0A
                                                                                                                                                                                                  • WixBundleOriginalSource, xrefs: 00AABEAC
                                                                                                                                                                                                  • WixBundleLastUsedSource, xrefs: 00AABE91
                                                                                                                                                                                                  • Failed to copy source path., xrefs: 00AAC019
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Find$CloseFileFirstlstrlen
                                                                                                                                                                                                  • String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
                                                                                                                                                                                                  • API String ID: 2767606509-3003062821
                                                                                                                                                                                                  • Opcode ID: 905f16272b4ec5490198224b0412aee0ed4128a39eeac0513f3c214a2233a439
                                                                                                                                                                                                  • Instruction ID: 02b0f7b1d0d2f7816b66171cd3048a763365eb49a9d8bcc2ccb403517edb9c93
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 905f16272b4ec5490198224b0412aee0ed4128a39eeac0513f3c214a2233a439
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4D816D72E04219AFDF25DFA8D981AEEBBB5BF09310F140529F911B72A1D7719D01CB60
                                                                                                                                                                                                  Function 00A94832 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 202sleepfiletimeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 00A948D2
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A948DC
                                                                                                                                                                                                  • GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00A9497C
                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00A94A09
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A94A16
                                                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00A94A2A
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00A94A92
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\pathutil.cpp, xrefs: 00A94900
                                                                                                                                                                                                  • %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00A949D9
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
                                                                                                                                                                                                  • String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$c:\agent\_work\36\s\wix\src\libs\dutil\pathutil.cpp
                                                                                                                                                                                                  • API String ID: 3480017824-2322201441
                                                                                                                                                                                                  • Opcode ID: 8f28a3b45528f2fc154b9712b563b532d80a777bed43afdf7c3d75c3d650bb86
                                                                                                                                                                                                  • Instruction ID: 189c9e39abff4e8fcb69475f901580e741dd6c473bbce870c6369e5b04181ff2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f28a3b45528f2fc154b9712b563b532d80a777bed43afdf7c3d75c3d650bb86
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF715372E41239ABDF30DBA8DD48FAAB7F8AB0C750F110295F915A7290D7349E81CB54
                                                                                                                                                                                                  Function 00ADA375 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 164COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,76F8DFD0,?,00ADA8E7,?,?), ref: 00ADA3CB
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADA436
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADA4AE
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADA4ED
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: String$Free$Compare
                                                                                                                                                                                                  • String ID: label$scheme$term
                                                                                                                                                                                                  • API String ID: 1324494773-4117840027
                                                                                                                                                                                                  • Opcode ID: 1ed038d76fb311a39235e0128dfe88abd844eeb7a77b255b021c836b74e6286f
                                                                                                                                                                                                  • Instruction ID: 3511e08d765d7099688050fc8c7d09f7d204baf5949c1636c5979757e9a48120
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ed038d76fb311a39235e0128dfe88abd844eeb7a77b255b021c836b74e6286f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24516E75901219FFCF15DB94C848FAEBB79AF14711F1042A6F512AB2A0D770DE00DB51
                                                                                                                                                                                                  Function 00A9E8BF Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 143COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,00A97083,00000000,00A9714F,00A9710B,WixBundleUILevel,840F01E8,?,00000001), ref: 00A9E916
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to concat file paths., xrefs: 00A9E9F6
                                                                                                                                                                                                  • Failed to get directory portion of local file path, xrefs: 00A9E9EF
                                                                                                                                                                                                  • Failed to find embedded payload: %ls, xrefs: 00A9E942
                                                                                                                                                                                                  • Failed to extract file., xrefs: 00A9E9E1
                                                                                                                                                                                                  • Payload was not found in container: %ls, xrefs: 00A9EA23
                                                                                                                                                                                                  • Failed to get next stream., xrefs: 00A9E9FD
                                                                                                                                                                                                  • Failed to ensure directory exists, xrefs: 00A9E9E8
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\payload.cpp, xrefs: 00A9EA17
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                                                  • String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$c:\agent\_work\36\s\wix\src\burn\engine\payload.cpp
                                                                                                                                                                                                  • API String ID: 1825529933-2753023788
                                                                                                                                                                                                  • Opcode ID: 793500296449e12f9ae1cc6c7c2bda1fd64979c69589dfc065d76d0ea7532e48
                                                                                                                                                                                                  • Instruction ID: dab265ca0cd88f2c2a45e659a4416775c39351742cf897e71dab238d5a852a08
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 793500296449e12f9ae1cc6c7c2bda1fd64979c69589dfc065d76d0ea7532e48
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 75419F31B00225EFCF25DF95C985AAEBBF5BF10751F10866AF901AB262D7709E40DB90
                                                                                                                                                                                                  Function 00A96468 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 127windowthreadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 00A9648D
                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00A96493
                                                                                                                                                                                                  • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A96521
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to load UX., xrefs: 00A964D6
                                                                                                                                                                                                  • Unexpected return value from message pump., xrefs: 00A96577
                                                                                                                                                                                                  • Failed to create engine for UX., xrefs: 00A964AD
                                                                                                                                                                                                  • wininet.dll, xrefs: 00A964C0
                                                                                                                                                                                                  • Failed to start bootstrapper application., xrefs: 00A964EF
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp, xrefs: 00A9656D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Message$CurrentPeekThread
                                                                                                                                                                                                  • String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp$wininet.dll
                                                                                                                                                                                                  • API String ID: 673430819-4069925003
                                                                                                                                                                                                  • Opcode ID: 0b87c71bd75fbc9c853f7f74fb556047d7c96617fbadb7184c644d1faf9c9435
                                                                                                                                                                                                  • Instruction ID: 463e74b869e71b2d17188d7e4fe651031ac874e7a0e9420493f6a922463be80b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0b87c71bd75fbc9c853f7f74fb556047d7c96617fbadb7184c644d1faf9c9435
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A416E71B00615BFEF14EBA4CD85EBA77ECAF08354F110526F906EB280DB24ED4587A1
                                                                                                                                                                                                  Function 00ABB7DB Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 127COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00ABCB60,?,00000001,00000000), ref: 00ABB866
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00ABCB60,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 00ABB870
                                                                                                                                                                                                  • CopyFileExW.KERNEL32(00000000,00000000,00ABB6B4,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00ABB8BE
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00ABCB60,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 00ABB8ED
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\apply.cpp, xrefs: 00ABB894, 00ABB8D8, 00ABB911
                                                                                                                                                                                                  • Failed attempt to copy payload from: '%ls' to: %ls., xrefs: 00ABB91F
                                                                                                                                                                                                  • copy, xrefs: 00ABB834
                                                                                                                                                                                                  • Failed to clear readonly bit on payload desusertion path: %ls, xrefs: 00ABB89F
                                                                                                                                                                                                  • BA aborted copy of payload from: '%ls' to: %ls., xrefs: 00ABB8E6
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLast$AttributesCopy
                                                                                                                                                                                                  • String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload desusertion path: %ls$c:\agent\_work\36\s\wix\src\burn\engine\apply.cpp$copy
                                                                                                                                                                                                  • API String ID: 1969131206-2808119378
                                                                                                                                                                                                  • Opcode ID: 2a509d9afa3fd273db3f4b153f45d90ea4d3baad5e4edfbb6cbadbf45475d86e
                                                                                                                                                                                                  • Instruction ID: ddea31d51df76e208be289488cac3e54b16eee36ed274cc85ab559949095ad03
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a509d9afa3fd273db3f4b153f45d90ea4d3baad5e4edfbb6cbadbf45475d86e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 15310272F51126B79B209BE5CD86EBB7B6CAF51B50B158119FD05EF282D3A0CD0087B0
                                                                                                                                                                                                  Function 00AAAB0E Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 125COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 00AAAC59
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 00AAAC02
                                                                                                                                                                                                  • Failed to allocate access for SYSTEM group to path: %ls, xrefs: 00AAAB82
                                                                                                                                                                                                  • Failed to create ACL to secure cache path: %ls, xrefs: 00AAAC0D
                                                                                                                                                                                                  • Failed to allocate access for Everyone group to path: %ls, xrefs: 00AAABA3
                                                                                                                                                                                                  • Failed to allocate access for Users group to path: %ls, xrefs: 00AAABC4
                                                                                                                                                                                                  • Failed to secure cache path: %ls, xrefs: 00AAAC3C
                                                                                                                                                                                                  • Failed to allocate access for Administrators group to path: %ls, xrefs: 00AAAB61
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeLocal
                                                                                                                                                                                                  • String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp
                                                                                                                                                                                                  • API String ID: 2826327444-2673515905
                                                                                                                                                                                                  • Opcode ID: dc8285ca111f2a2897b645150a6e2614fbb15d94a2fe95b88960bc8f86588e71
                                                                                                                                                                                                  • Instruction ID: deddc8f49da634e5540d4678dee6546669e24dc9c0b4709a7c583feb8e4c5fc0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc8285ca111f2a2897b645150a6e2614fbb15d94a2fe95b88960bc8f86588e71
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 64310B32E8036577EB219B94CE46FAE76B8EB61B10F110155BA04BB1C0DB60AD44C7A6
                                                                                                                                                                                                  Function 00AA1131 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 108stringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 00AA116A
                                                                                                                                                                                                    • Part of subcall function 00A91B27: CreateDirectoryW.KERNELBASE(00000000,00A97083,00000000,00000000,?,00AABDBF,00000000,00000000,?,00000000,840F01E8,00A97083,00000000,00A9714F,840F01E8), ref: 00A91B35
                                                                                                                                                                                                    • Part of subcall function 00A91B27: GetLastError.KERNEL32(?,00AABDBF,00000000,00000000,?,00000000,840F01E8,00A97083,00000000,00A9714F,840F01E8), ref: 00A91B43
                                                                                                                                                                                                  • lstrlenA.KERNEL32(002E0032,00000000,00000094,00000000,00000094,crypt32.dll,crypt32.dll,00AA2190,swidtag,00000094,00ADE500,00330074,00AA2190,00000000,crypt32.dll,00000000), ref: 00AA11BD
                                                                                                                                                                                                    • Part of subcall function 00A94483: CreateFileW.KERNEL32(002E0032,40000000,00000001,00000000,00000002,00000080,00000000,00AA2190,00000000,?,00AA11D4,00ADE500,00000080,002E0032,00000000), ref: 00A9449B
                                                                                                                                                                                                    • Part of subcall function 00A94483: GetLastError.KERNEL32(?,00AA11D4,00ADE500,00000080,002E0032,00000000,?,00AA2190,crypt32.dll,00000094,?,?,?,?,?,00000000), ref: 00A944A8
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
                                                                                                                                                                                                  • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$crypt32.dll$swidtag
                                                                                                                                                                                                  • API String ID: 904508749-2959304021
                                                                                                                                                                                                  • Opcode ID: bacdeef2878e98a6ebd1140d819e36a57a170439a618584e11d951887f3d0c76
                                                                                                                                                                                                  • Instruction ID: 28a0538475756de1ed2d9c10b0161063f2c077e755046828b0e49789d87fc2d4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bacdeef2878e98a6ebd1140d819e36a57a170439a618584e11d951887f3d0c76
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC318A32E00629BBCF11ABA4DD41BDDBBB5BF05710F1082A6F911EB291E770DA449B90
                                                                                                                                                                                                  Function 00AAFF39 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103windowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • LoadBitmapW.USER32(?,00000001), ref: 00AAFF6F
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AAFF7B
                                                                                                                                                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 00AAFFC2
                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 00AAFFE3
                                                                                                                                                                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00AAFFF5
                                                                                                                                                                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 00AB000B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\splashscreen.cpp, xrefs: 00AAFF9F
                                                                                                                                                                                                  • (, xrefs: 00AB0002
                                                                                                                                                                                                  • Failed to load splash screen bitmap., xrefs: 00AAFFA9
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
                                                                                                                                                                                                  • String ID: ($Failed to load splash screen bitmap.$c:\agent\_work\36\s\wix\src\burn\engine\splashscreen.cpp
                                                                                                                                                                                                  • API String ID: 2342928100-4182049364
                                                                                                                                                                                                  • Opcode ID: 06bf5450b40235adbeaeb50ffbb32ec40a5daee912e2eeec14ff7bab561f1649
                                                                                                                                                                                                  • Instruction ID: b2c3cc9be98982418ce36955879d00960927c92b5121ccb6e504bd25d9a90a5a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06bf5450b40235adbeaeb50ffbb32ec40a5daee912e2eeec14ff7bab561f1649
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C312175A01215AFDB10DFB8D985B9EBBF4FF08711F14852AE905EB281DB70E901CBA1
                                                                                                                                                                                                  Function 00AA6D8B Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,00000000,?,?,00ADE500), ref: 00AA6D94
                                                                                                                                                                                                  • GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 00AA6E32
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00AA6E4B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Process$CloseCurrentHandle
                                                                                                                                                                                                  • String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
                                                                                                                                                                                                  • API String ID: 2815245435-1352204306
                                                                                                                                                                                                  • Opcode ID: e0600b27fe7a8638814db9015b0786f70cba385810d6f9c0c916965474fa9fd9
                                                                                                                                                                                                  • Instruction ID: 9c114746726256628aafa3c30a05dd332cf32e6e330ae8b96862dfdf2f1184d1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e0600b27fe7a8638814db9015b0786f70cba385810d6f9c0c916965474fa9fd9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 75217A75E00259FFCF11EF99C9818AEBBB8FF04354B14416AF801A7251DB319E509F90
                                                                                                                                                                                                  Function 00A98575 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 74libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 00A9859F
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00A985A6
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A985B0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to find DllGetVersion entry point in msi.dll., xrefs: 00A985DE
                                                                                                                                                                                                  • Failed to get msi.dll version info., xrefs: 00A985F8
                                                                                                                                                                                                  • msi, xrefs: 00A98596
                                                                                                                                                                                                  • Failed to set variant value., xrefs: 00A9861C
                                                                                                                                                                                                  • DllGetVersion, xrefs: 00A98591
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp, xrefs: 00A985D4
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressErrorHandleLastModuleProc
                                                                                                                                                                                                  • String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp$msi
                                                                                                                                                                                                  • API String ID: 4275029093-2834595993
                                                                                                                                                                                                  • Opcode ID: 7a9bb72d04b4a1f51ce6261b8d47d08c050ede63ed0bfedc9a8bd9756a0e3d8b
                                                                                                                                                                                                  • Instruction ID: 108bca53aa0f2a8b0dd36e4dbb5db8adc0cd2c90dc7bbcba67432cb29ed7aed4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a9bb72d04b4a1f51ce6261b8d47d08c050ede63ed0bfedc9a8bd9756a0e3d8b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2211DA72B4163576DB10A7BDDC46E7FB6E4AB05750F01052AFE02FB181DA74DD0485E1
                                                                                                                                                                                                  Function 00A9F3B0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,00A964D0,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00A97154,?), ref: 00A9F3C1
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A964D0,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00A97154,?,?), ref: 00A9F3CE
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00A9F406
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A964D0,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00A97154,?,?), ref: 00A9F412
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • BootstrapperApplicationCreate, xrefs: 00A9F400
                                                                                                                                                                                                  • Failed to load UX DLL., xrefs: 00A9F3F9
                                                                                                                                                                                                  • Failed to get BootstrapperApplicationCreate entry-point, xrefs: 00A9F43D
                                                                                                                                                                                                  • Failed to create UX., xrefs: 00A9F456
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\userexperience.cpp, xrefs: 00A9F3EF, 00A9F433
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$AddressLibraryLoadProc
                                                                                                                                                                                                  • String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$c:\agent\_work\36\s\wix\src\burn\engine\userexperience.cpp
                                                                                                                                                                                                  • API String ID: 1866314245-3484973401
                                                                                                                                                                                                  • Opcode ID: 37e43c7c8a89e28dc38068ea2e8d94b3db325dae5a4946c30a3be8114453ec46
                                                                                                                                                                                                  • Instruction ID: 116c5b80b010da761cabf38a614af61a411bf633c430fd35886dc3057a320414
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 37e43c7c8a89e28dc38068ea2e8d94b3db325dae5a4946c30a3be8114453ec46
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F118237B817327BCF2196A99D0AF6B76D46F14761F014626FE41EF280DA64DD004BD1
                                                                                                                                                                                                  Function 00A914FE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 52libraryloadermemoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00A9118B,cabinet.dll,00000009,?,?,00000000), ref: 00A9150F
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,00A9118B,cabinet.dll,00000009,?,?,00000000), ref: 00A9151A
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00A91528
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00A9118B,cabinet.dll,00000009,?,?,00000000), ref: 00A91543
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00A9154B
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00A9118B,cabinet.dll,00000009,?,?,00000000), ref: 00A91560
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressErrorLastProc$HandleHeapInformationModule
                                                                                                                                                                                                  • String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
                                                                                                                                                                                                  • API String ID: 3104334766-1824683568
                                                                                                                                                                                                  • Opcode ID: b589e7c05bfc82b589c46f7ec95ccb28beaa9c0a9bccf7b7e5ba04fa9f2f7b0a
                                                                                                                                                                                                  • Instruction ID: ea66a03a32af1493e7edda5f72526a9588f7b23341a85cf578e36c03b4cc3174
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b589e7c05bfc82b589c46f7ec95ccb28beaa9c0a9bccf7b7e5ba04fa9f2f7b0a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A01B571740216BBDF10FBA59C4AD9B3BACFF847D47024112F8079A140E670EA018AB1
                                                                                                                                                                                                  Function 00AB12A0 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 154COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00AB12B5
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00AB1430
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to set download user., xrefs: 00AB13B8
                                                                                                                                                                                                  • UX did not provide container or payload id., xrefs: 00AB141F
                                                                                                                                                                                                  • UX requested unknown container with id: %ls, xrefs: 00AB135A
                                                                                                                                                                                                  • Engine is active, cannot change engine state., xrefs: 00AB12CF
                                                                                                                                                                                                  • Failed to set download URL., xrefs: 00AB138F
                                                                                                                                                                                                  • UX denied while trying to set download URL on embedded payload: %ls, xrefs: 00AB1320
                                                                                                                                                                                                  • UX requested unknown payload with id: %ls, xrefs: 00AB130A
                                                                                                                                                                                                  • Failed to set download password., xrefs: 00AB13DE
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                  • String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
                                                                                                                                                                                                  • API String ID: 3168844106-2615595102
                                                                                                                                                                                                  • Opcode ID: 3d9628d17b7d66408db83238d8c4209fa6ac199d49ae981d3a19ab529b14a6b2
                                                                                                                                                                                                  • Instruction ID: 82280a5abcb784d50ad4141c02079b6dae7248f78c29dad78eea0a903b42e9ad
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d9628d17b7d66408db83238d8c4209fa6ac199d49ae981d3a19ab529b14a6b2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B541C276A00652ABCB619B25C855AEA73FCFF00710F558165F805EB692EB74DD40C7E0
                                                                                                                                                                                                  Function 00AD909D Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 195filememoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000410,000000FF,?,00000000,00000000), ref: 00AD90DA
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD90E8
                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 00AD9129
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD9136
                                                                                                                                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AD92A9
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00AD92B8
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\dlutil.cpp, xrefs: 00AD910C
                                                                                                                                                                                                  • GET, xrefs: 00AD91DD
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
                                                                                                                                                                                                  • String ID: GET$c:\agent\_work\36\s\wix\src\libs\dutil\dlutil.cpp
                                                                                                                                                                                                  • API String ID: 2028584396-3792313763
                                                                                                                                                                                                  • Opcode ID: 2547f3e0dbb12acd3e10fe927c5e475421df37266cf59e6316f124ea39cf0be0
                                                                                                                                                                                                  • Instruction ID: 7842118846d996d712a93ece309d465701ae03c9307ef44bbaeb80e8fe90205f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2547f3e0dbb12acd3e10fe927c5e475421df37266cf59e6316f124ea39cf0be0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A6614772A0021AABDF51DFA4CC85BEFBBB9AB48750F11021AFE16B7350D770D9508B90
                                                                                                                                                                                                  Function 00AA291F Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 182COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00AA2CEB: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,00AA293E,?,00000000,?,00000000,00000000), ref: 00AA2D1A
                                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 00AA2AC2
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AA2ACF
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to create syncpoint event., xrefs: 00AA2AFD
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\plan.cpp, xrefs: 00AA2AF3
                                                                                                                                                                                                  • Failed to append payload cache action., xrefs: 00AA2A79
                                                                                                                                                                                                  • Failed to append rollback cache action., xrefs: 00AA299E
                                                                                                                                                                                                  • Failed to append cache action., xrefs: 00AA2A19
                                                                                                                                                                                                  • Failed to append package start action., xrefs: 00AA2964
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareCreateErrorEventLastString
                                                                                                                                                                                                  • String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$c:\agent\_work\36\s\wix\src\burn\engine\plan.cpp
                                                                                                                                                                                                  • API String ID: 801187047-378072449
                                                                                                                                                                                                  • Opcode ID: 1da022ba6822e32ca1bb28f2825e9f2d90952de050643eb783089edfa2453a35
                                                                                                                                                                                                  • Instruction ID: 937d784eb6e7c06bd4e174dcb38e9f7fb55fbb0d8efc08fe5c0473d7b1eea0af
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1da022ba6822e32ca1bb28f2825e9f2d90952de050643eb783089edfa2453a35
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C61C175500605EFDB11CF68C980A6EBBF9FF89750F21845AE8059B392EB30EE11DB50
                                                                                                                                                                                                  Function 00A9BBC6 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 146COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A9BBEC
                                                                                                                                                                                                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A9BC11
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to format component id string., xrefs: 00A9BBF7
                                                                                                                                                                                                  • Failed to set variable., xrefs: 00A9BCF5
                                                                                                                                                                                                  • Failed to format product code string., xrefs: 00A9BC1C
                                                                                                                                                                                                  • MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00A9BD05
                                                                                                                                                                                                  • Failed to get component path: %d, xrefs: 00A9BC75
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Open@16
                                                                                                                                                                                                  • String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
                                                                                                                                                                                                  • API String ID: 3613110473-1671347822
                                                                                                                                                                                                  • Opcode ID: 9da890826bfd928778621d96845caf0c9f70254924ed10e4546ab3b57140d498
                                                                                                                                                                                                  • Instruction ID: d289ec32d25307c666f90f7bb9209f8a5afc00723dde4440ee918e88792a537e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9da890826bfd928778621d96845caf0c9f70254924ed10e4546ab3b57140d498
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1641E332B10115BACF259BA8AF82FBEB6F8EF09310F244616F511E5191DF30DE50A6A1
                                                                                                                                                                                                  Function 00AA65F1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 116fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,00000001,00000008,?,00000000,?,00000000,00000000,00000001,00000000,?,?,?,00000000,crypt32.dll,00000000), ref: 00AA661C
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AA6629
                                                                                                                                                                                                  • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 00AA66D4
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AA66DE
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastRead
                                                                                                                                                                                                  • String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp
                                                                                                                                                                                                  • API String ID: 1948546556-460803975
                                                                                                                                                                                                  • Opcode ID: f30cf0a9cb2549c463a89f4f2c4639e07e75ce01e76a770442b8fddbd8ea2c7a
                                                                                                                                                                                                  • Instruction ID: 10927050f3e59c99d1787d62a949e67d3e0800da88057fc465ebbb04e2ba88fb
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f30cf0a9cb2549c463a89f4f2c4639e07e75ce01e76a770442b8fddbd8ea2c7a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BB31E572E40229BBDB259BA5CD45BAEFB78BB15715F14822AB841AB1C0E7749D008FD0
                                                                                                                                                                                                  Function 00ADA250 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 113COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,name,000000FF,00000000,00000000,00000000,?,76F8DFD0), ref: 00ADA2AF
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,email,000000FF), ref: 00ADA2CC
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADA30A
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADA34E
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: String$CompareFree
                                                                                                                                                                                                  • String ID: email$name$uri
                                                                                                                                                                                                  • API String ID: 3589242889-1168628755
                                                                                                                                                                                                  • Opcode ID: 88c3069171d035ae245a63b6ea7bb3dbef4b595ce11c7261dfb7c00accae71b0
                                                                                                                                                                                                  • Instruction ID: d4e80ea48fd700b15ff363a23f10d6b981703f33d88a131a69cbac93f7dded11
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 88c3069171d035ae245a63b6ea7bb3dbef4b595ce11c7261dfb7c00accae71b0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38417E35901219BBDF11DB94CC44FADB775AF10725F2042A5F522AB2E0C7719E01DB91
                                                                                                                                                                                                  Function 00AA709D Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,00A97154,00000000,00000000,?,00000000), ref: 00AA7146
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00A9692F,?,?,00000000,?,?,?,?,?,?,00ADE4A0,?,?), ref: 00AA7151
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to write exit code to message buffer., xrefs: 00AA70C1
                                                                                                                                                                                                  • Failed to post terminate message to child process cache thread., xrefs: 00AA7115
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp, xrefs: 00AA7175
                                                                                                                                                                                                  • Failed to wait for child process exit., xrefs: 00AA717F
                                                                                                                                                                                                  • Failed to post terminate message to child process., xrefs: 00AA7131
                                                                                                                                                                                                  • Failed to write restart to message buffer., xrefs: 00AA70E9
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastObjectSingleWait
                                                                                                                                                                                                  • String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp
                                                                                                                                                                                                  • API String ID: 1211598281-2003247018
                                                                                                                                                                                                  • Opcode ID: 12f9e7139b15f80b9de4fc0b6d94c2814b5d1a2c202165d4092a4e59f8dd6381
                                                                                                                                                                                                  • Instruction ID: a5fdac37a8e70b3601dfeafe18ad82940ee46daa04b66b8ca2633dbbadd43537
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 12f9e7139b15f80b9de4fc0b6d94c2814b5d1a2c202165d4092a4e59f8dd6381
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F21D837948629BBCB229B94CD05E9FBAA8EF01760F100352F901B71E0D7309E4197D0
                                                                                                                                                                                                  Function 00AAACE8 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,00AABB5C,00000003,000007D0,00000003,?,000007D0), ref: 00AAAD02
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AABB5C,00000003,000007D0,00000003,?,000007D0,?,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001,?), ref: 00AAAD0F
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00AABB5C,00000003,000007D0,00000003,?,000007D0,?,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001), ref: 00AAADD7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 00AAAD46
                                                                                                                                                                                                  • Failed to verify catalog signature of payload: %ls, xrefs: 00AAAD9E
                                                                                                                                                                                                  • Failed to open payload at path: %ls, xrefs: 00AAAD53
                                                                                                                                                                                                  • Failed to verify signature of payload: %ls, xrefs: 00AAAD7F
                                                                                                                                                                                                  • Failed to verify hash of payload: %ls, xrefs: 00AAADC2
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCreateErrorFileHandleLast
                                                                                                                                                                                                  • String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp
                                                                                                                                                                                                  • API String ID: 2528220319-1870011837
                                                                                                                                                                                                  • Opcode ID: 6345519aff52833fc773d12e19f25280dc1c4cacf4ef39c60b5818a2d8ba03cd
                                                                                                                                                                                                  • Instruction ID: eb97d7b2088aac62bfdf2c9a7b01337cc37ed33d4ee3a1d380c9050244491383
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6345519aff52833fc773d12e19f25280dc1c4cacf4ef39c60b5818a2d8ba03cd
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AE21F932941631BBCB221B64CD45B5A7AA8BF26772F104213FC456B9D093759C60EAD2
                                                                                                                                                                                                  Function 00A98825 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00A98870
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A9887A
                                                                                                                                                                                                  • GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 00A988BE
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A988C8
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get windows directory., xrefs: 00A988A8
                                                                                                                                                                                                  • Failed to get volume path name., xrefs: 00A988F6
                                                                                                                                                                                                  • Failed to set variant value., xrefs: 00A98912
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp, xrefs: 00A9889E, 00A988EC
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$DirectoryNamePathVolumeWindows
                                                                                                                                                                                                  • String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp
                                                                                                                                                                                                  • API String ID: 124030351-2418357959
                                                                                                                                                                                                  • Opcode ID: a9c7c5554d2fe4e72ab3d251dbdbb0a3630638e45e8b3069507a52d30669fa25
                                                                                                                                                                                                  • Instruction ID: c5203212045bc1d1e41218c1a77b9e2523f02a982565a1f8231544df4e0222c3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a9c7c5554d2fe4e72ab3d251dbdbb0a3630638e45e8b3069507a52d30669fa25
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 63212977F4123977CB20E7A48D49F9B73EC6B01B10F114566BE01FB281DA789E0086A5
                                                                                                                                                                                                  Function 00A9B96A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A9B983
                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,00A9C5A7,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 00A9B99B
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A9C5A7,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00A9B9A8
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed get to file attributes. '%ls', xrefs: 00A9B9E5
                                                                                                                                                                                                  • Failed to set variable., xrefs: 00A9BA31
                                                                                                                                                                                                  • File search: %ls, did not find path: %ls, xrefs: 00A9B9FA
                                                                                                                                                                                                  • Failed to format variable string., xrefs: 00A9B98E
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\search.cpp, xrefs: 00A9B9D8
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AttributesErrorFileLastOpen@16
                                                                                                                                                                                                  • String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$c:\agent\_work\36\s\wix\src\burn\engine\search.cpp
                                                                                                                                                                                                  • API String ID: 1811509786-182623011
                                                                                                                                                                                                  • Opcode ID: 2341e25b865194a5c75661a9d24d5edfde2e0dcb7b17fe34078d5498943aa309
                                                                                                                                                                                                  • Instruction ID: 572daf2ad760a32176ef66cfdaf74b93bd8151a318f85af0bc88cb0861e1b632
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2341e25b865194a5c75661a9d24d5edfde2e0dcb7b17fe34078d5498943aa309
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D21F533F615347BCF11A769EF07AAEB6E5AF15760F104215FD12BA190E7709D0096B0
                                                                                                                                                                                                  Function 00AACA2F Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • TlsSetValue.KERNEL32(?,?), ref: 00AACA46
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AACA50
                                                                                                                                                                                                  • CoInitializeEx.OLE32(00000000,00000000), ref: 00AACA8F
                                                                                                                                                                                                  • CoUninitialize.OLE32(?,00AAE3E7,?,?), ref: 00AACACC
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to initialize COM., xrefs: 00AACA9B
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\elevation.cpp, xrefs: 00AACA74
                                                                                                                                                                                                  • Failed to pump messages in child process., xrefs: 00AACABA
                                                                                                                                                                                                  • Failed to set elevated cache pipe into thread local storage for logging., xrefs: 00AACA7E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorInitializeLastUninitializeValue
                                                                                                                                                                                                  • String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$c:\agent\_work\36\s\wix\src\burn\engine\elevation.cpp
                                                                                                                                                                                                  • API String ID: 876858697-3947963314
                                                                                                                                                                                                  • Opcode ID: 9b02683f8c8808ddf32c609e3efb8a74fb374029ac89d073e607da43f1e82f41
                                                                                                                                                                                                  • Instruction ID: 961c876eca38b702448368b482814148c81c564b8f4af658d7b91cb3847aa18d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9b02683f8c8808ddf32c609e3efb8a74fb374029ac89d073e607da43f1e82f41
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E311C677A41539BBE711D795DC0996FBFA9EF02FB1B014216FC02BB280E760AD0186D4
                                                                                                                                                                                                  Function 00A9799D Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 53registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00A97A23
                                                                                                                                                                                                    • Part of subcall function 00A95967: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A959DD
                                                                                                                                                                                                    • Part of subcall function 00A95967: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00A95A15
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: QueryValue$Close
                                                                                                                                                                                                  • String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                                                                                                                                                                                                  • API String ID: 1979452859-3209209246
                                                                                                                                                                                                  • Opcode ID: 96eac6c8de14df55e581c5193f17da879deb7ff8751b435f7123b0a36e4ea17c
                                                                                                                                                                                                  • Instruction ID: dd5efe29c595bd2eb1c2f5b8a51d0e1056dfd743e384f2bd92ba1a0da6971eb1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 96eac6c8de14df55e581c5193f17da879deb7ff8751b435f7123b0a36e4ea17c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E801F532F446A4BBCF12A6A5CD07E9E7AE8EF51BA0F104521F80176251D7B0DE40D7E0
                                                                                                                                                                                                  Function 00ABBDCA Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 173COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,00000000,00000000,?), ref: 00ABBE97
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,00000000,?), ref: 00ABBEA1
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • download, xrefs: 00ABBE61
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\apply.cpp, xrefs: 00ABBEC5
                                                                                                                                                                                                  • Failed to clear readonly bit on payload desusertion path: %ls, xrefs: 00ABBED0
                                                                                                                                                                                                  • Failed attempt to download URL: '%ls' to: '%ls', xrefs: 00ABBF7E
                                                                                                                                                                                                  • :, xrefs: 00ABBF1A
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AttributesErrorFileLast
                                                                                                                                                                                                  • String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload desusertion path: %ls$c:\agent\_work\36\s\wix\src\burn\engine\apply.cpp$download
                                                                                                                                                                                                  • API String ID: 1799206407-926780438
                                                                                                                                                                                                  • Opcode ID: 516373e121b801d8e40b4b6e2c60c827a0f8bbc1eda25456e78e1953848f1191
                                                                                                                                                                                                  • Instruction ID: 3a552e0865e9be60acfcd03951d2003deae6b86cebc7c5cb390cff0a685c3e27
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 516373e121b801d8e40b4b6e2c60c827a0f8bbc1eda25456e78e1953848f1191
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C6518171A20619AFDB11DFA8C841AEEB7B9BF14710F108159F905EB252E7B5DE40CBA0
                                                                                                                                                                                                  Function 00ADA522 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 158COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,76F8DFD0,000000FF,type,000000FF,?,76F8DFD0,76F8DFD0,76F8DFD0), ref: 00ADA578
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADA5C3
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADA63F
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADA68B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: String$Free$Compare
                                                                                                                                                                                                  • String ID: type$url
                                                                                                                                                                                                  • API String ID: 1324494773-1247773906
                                                                                                                                                                                                  • Opcode ID: 7efdaf86728149f8c2b906006c5e3aa3626f45a4f4dbb23fa3ff83d601359ff1
                                                                                                                                                                                                  • Instruction ID: 738c82c253336fd3ed2b6025cb70756e46beda412f5af38e7b633938dadbb48a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7efdaf86728149f8c2b906006c5e3aa3626f45a4f4dbb23fa3ff83d601359ff1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 49514B36901219EFCF15DBA4C844EEEBBB8AF14711F1542AAF912EB2A0D730DE40DB51
                                                                                                                                                                                                  Function 00ADBAD6 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 157COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000410,?,?,00ABABC5,000002C0,00000100), ref: 00ADBB04
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,00ABABC5,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 00ADBB1F
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • http://appsyndication.org/2006/appsyn, xrefs: 00ADBAF7
                                                                                                                                                                                                  • type, xrefs: 00ADBB46
                                                                                                                                                                                                  • application, xrefs: 00ADBB11
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\apuputil.cpp, xrefs: 00ADBBBA
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareHeapString$AllocateProcess
                                                                                                                                                                                                  • String ID: application$c:\agent\_work\36\s\wix\src\libs\dutil\apuputil.cpp$http://appsyndication.org/2006/appsyn$type
                                                                                                                                                                                                  • API String ID: 2664528157-2916524029
                                                                                                                                                                                                  • Opcode ID: 90a2bf25d736221699712a60ac9cffd31e1e0f8aa4f7c0e4871d893efb4ac662
                                                                                                                                                                                                  • Instruction ID: bc027a3a39bcc8843d58ce5e99a40391b83db2d1096e6b5e97278431f0bc95c5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 90a2bf25d736221699712a60ac9cffd31e1e0f8aa4f7c0e4871d893efb4ac662
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F151B031620305FBDB209F55CD82F6A77A5BB04760F21861AFA6B9B3D5DB70ED418B20
                                                                                                                                                                                                  Function 00AD9AEC Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 153fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD9B48
                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000410,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 00AD9C3F
                                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 00AD9C4E
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseDeleteErrorFileHandleLast
                                                                                                                                                                                                  • String ID: Burn$DownloadTimeout$WiX\Burn$c:\agent\_work\36\s\wix\src\libs\dutil\dlutil.cpp
                                                                                                                                                                                                  • API String ID: 3522763407-2154465160
                                                                                                                                                                                                  • Opcode ID: 699ae7cfca9c6a4e71d66f7fb8358f1ec2747441e7272ae027144c57140db27e
                                                                                                                                                                                                  • Instruction ID: 3e35130978183ee9a4901328303d4489255cfb1c3c1301b5651fbedbc8bc7382
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 699ae7cfca9c6a4e71d66f7fb8358f1ec2747441e7272ae027144c57140db27e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2512876900219BFDF11DFE4CD85AAFBBB9AB08710F014156FA16E6290E734DA11DBA0
                                                                                                                                                                                                  Function 00AAAED5 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 00AAAF63
                                                                                                                                                                                                    • Part of subcall function 00AD8D1A: GetLastError.KERNEL32(?,?,00AAAF88,?,00000003,00A9714F,?), ref: 00AD8D39
                                                                                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 00AAAF9D
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AAB015
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 00AAB039
                                                                                                                                                                                                  • Failed to find expected public key in certificate chain., xrefs: 00AAAFD8
                                                                                                                                                                                                  • Failed to get certificate public key identifier., xrefs: 00AAB043
                                                                                                                                                                                                  • Failed to read certificate thumbprint., xrefs: 00AAB009
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast_memcmp
                                                                                                                                                                                                  • String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp
                                                                                                                                                                                                  • API String ID: 3428363238-3896399001
                                                                                                                                                                                                  • Opcode ID: b2b6ade85da7b08f18e7cbe4b462a1b875f0a87518b4c0cd4a014440f6e69ca1
                                                                                                                                                                                                  • Instruction ID: ef17e36393029f2f8d9af5cde4e9253ae7bb3735814f7fc171c6d53deacf6bf7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2b6ade85da7b08f18e7cbe4b462a1b875f0a87518b4c0cd4a014440f6e69ca1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A24160B2E10215AFDB15DBA9C845AAFB7F8BB19710F11412AF901E7291D774ED00CBA1
                                                                                                                                                                                                  Function 00AA2271 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 132registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,00000001,00000000,?), ref: 00AA23A2
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,00000001,00000000,?), ref: 00AA23B1
                                                                                                                                                                                                    • Part of subcall function 00A954AE: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,00AA22E9,?,00000000,00020006), ref: 00A954D3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to delete registration key: %ls, xrefs: 00AA2350
                                                                                                                                                                                                  • Failed to write volatile reboot required registry key., xrefs: 00AA22ED
                                                                                                                                                                                                  • %ls.RebootRequired, xrefs: 00AA22BF
                                                                                                                                                                                                  • Failed to update resume mode., xrefs: 00AA2386
                                                                                                                                                                                                  • Failed to open registration key., xrefs: 00AA23E7
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Close$Create
                                                                                                                                                                                                  • String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.
                                                                                                                                                                                                  • API String ID: 359002179-2517785395
                                                                                                                                                                                                  • Opcode ID: a25f9be3b88d09adc6684b4cc04447fb515a64271ebf606058ae54c75f6bccf8
                                                                                                                                                                                                  • Instruction ID: 623784952bb1c6f792d6629dbc97738913df55290a1082b47f3961cd91a344c9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a25f9be3b88d09adc6684b4cc04447fb515a64271ebf606058ae54c75f6bccf8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C741B132900714FBCF22AFA4DD02FAF7BBABF46311F104429F401660A1DB759A60EB61
                                                                                                                                                                                                  Function 00AA14EC Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00AA161C
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00AA1629
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Resume, xrefs: 00AA1590
                                                                                                                                                                                                  • %ls.RebootRequired, xrefs: 00AA1509
                                                                                                                                                                                                  • Failed to read Resume value., xrefs: 00AA15B2
                                                                                                                                                                                                  • Failed to format pending restart registry key to read., xrefs: 00AA1520
                                                                                                                                                                                                  • Failed to open registration key., xrefs: 00AA1585
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                                  • String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
                                                                                                                                                                                                  • API String ID: 3535843008-3890505273
                                                                                                                                                                                                  • Opcode ID: d0aa65e5f77c31bbdc9887f1bcf05e512fcb66c53c9c9a3d02478df44306aa54
                                                                                                                                                                                                  • Instruction ID: cc6fe33bbd43e7b579d30c83b52113cb93d8ef516fd0935cd516115e605eea86
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d0aa65e5f77c31bbdc9887f1bcf05e512fcb66c53c9c9a3d02478df44306aa54
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F417E36E00219FFCB129F99C981AADBBB4FF46311F158166E812AB290C771DE40DB80
                                                                                                                                                                                                  Function 00AB5551 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 111COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 00AB55B8
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Open@16
                                                                                                                                                                                                  • String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.$feclient.dll
                                                                                                                                                                                                  • API String ID: 3613110473-656185529
                                                                                                                                                                                                  • Opcode ID: bdd72ac69f69975e27001395d5e91770b249528f142dc870d87f7330d1326bf0
                                                                                                                                                                                                  • Instruction ID: 137721a68ad75e18d4666edfc5cb737a8dbc87d6a413c15ec219648c6d10fd90
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bdd72ac69f69975e27001395d5e91770b249528f142dc870d87f7330d1326bf0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE31AD72E01619BBCF259FA8CD51BEEB7BDAF00710F14422AF91166242E770EE10DB94
                                                                                                                                                                                                  Function 00AAC6FA Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 110COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
                                                                                                                                                                                                  • API String ID: 0-660234312
                                                                                                                                                                                                  • Opcode ID: c2aa54f2306c444bbac06fbd94a6f48e241728ff0fc51de58c87fac8f95bd416
                                                                                                                                                                                                  • Instruction ID: ac36f87151352675f7b4b602a98bffcb24a4d6b7cfef71e3f4eac7439b632bfd
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2aa54f2306c444bbac06fbd94a6f48e241728ff0fc51de58c87fac8f95bd416
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B631AA32904259BBDF219A98CC85FAE7BB9AB41770F200765F511F71D0DB719E41CB90
                                                                                                                                                                                                  Function 00ABF398 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 105comCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CoCreateInstance.OLE32(00AF4514,00000000,00000017,00AF4524,?,?,00000000,00000000,?,?,?,?,?,00ABF9BE,00000000,00000000), ref: 00ABF3D0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to set progress timeout., xrefs: 00ABF43A
                                                                                                                                                                                                  • WixBurn, xrefs: 00ABF3FB
                                                                                                                                                                                                  • Failed to create BITS job., xrefs: 00ABF40A
                                                                                                                                                                                                  • Failed to create IBackgroundCopyManager., xrefs: 00ABF3DC
                                                                                                                                                                                                  • Failed to set BITS job to foreground., xrefs: 00ABF451
                                                                                                                                                                                                  • Failed to set notification flags for BITS job., xrefs: 00ABF422
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateInstance
                                                                                                                                                                                                  • String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
                                                                                                                                                                                                  • API String ID: 542301482-468763447
                                                                                                                                                                                                  • Opcode ID: 6fb513808ba0724ca80bf666ccb65dbc35c517ffd51a996e1f6505a4550ee516
                                                                                                                                                                                                  • Instruction ID: c5a2e36963f66c5bb1d530b0eefb65a0a5d67763b40571e6eb729d68a4c725b6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6fb513808ba0724ca80bf666ccb65dbc35c517ffd51a996e1f6505a4550ee516
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7318471A40219AFDB15DBA8CC55DBFBBF8AF48710B044569FA02EB351DA30DC05CB91
                                                                                                                                                                                                  Function 00AD93E9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 00AD9433
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD9440
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 00AD9487
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD94BB
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,c:\agent\_work\36\s\wix\src\libs\dutil\dlutil.cpp,000000C8,00000000), ref: 00AD94EF
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLast$CloseCreateHandleRead
                                                                                                                                                                                                  • String ID: %ls.R$c:\agent\_work\36\s\wix\src\libs\dutil\dlutil.cpp
                                                                                                                                                                                                  • API String ID: 3160720760-2563767296
                                                                                                                                                                                                  • Opcode ID: 943d032f34279268dbaadb707cbff70583c535e2147d2737e3771bbc55114a17
                                                                                                                                                                                                  • Instruction ID: c744a115ea55536395403031e3019d333a11fe3b85105f34b27b4c5749c40abb
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 943d032f34279268dbaadb707cbff70583c535e2147d2737e3771bbc55114a17
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E31E9B6A41225BBE720CF94CD89B6B7AB4AF05720F114216FE06EF3C1D670DC0286A1
                                                                                                                                                                                                  Function 00A9E5E2 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A9EA56: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,00AA0124,000000FF,00000000,00000000,00AA0124,?,?,00A9F8CE,?,?,?,?), ref: 00A9EA81
                                                                                                                                                                                                  • CreateFileW.KERNEL32(E900ADEC,80000000,00000005,00000000,00000003,08000000,00000000,00A9708B,?,00000000,840F01E8,84680A79,00000001,00A97083,00000000,00A9714F), ref: 00A9E652
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00AA944A,00A97333,00A9713F,00A9713F,00000000,?,00A9714F,FFF9E89D,00A9714F,00A97183,00A9710B,?,00A9710B), ref: 00A9E697
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\catalog.cpp, xrefs: 00A9E6B8
                                                                                                                                                                                                  • Failed to open catalog in working path: %ls, xrefs: 00A9E6C5
                                                                                                                                                                                                  • Failed to get catalog local file path, xrefs: 00A9E6D5
                                                                                                                                                                                                  • Failed to verify catalog signature: %ls, xrefs: 00A9E690
                                                                                                                                                                                                  • Failed to find payload for catalog file., xrefs: 00A9E6DC
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareCreateErrorFileLastString
                                                                                                                                                                                                  • String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$c:\agent\_work\36\s\wix\src\burn\engine\catalog.cpp
                                                                                                                                                                                                  • API String ID: 1774366664-814001727
                                                                                                                                                                                                  • Opcode ID: 7000b827bf3f8ecdeea24f30e226668727d72277d57269eb91d3337a2240de21
                                                                                                                                                                                                  • Instruction ID: 50a23d2951bf8abda53793eb1c5c4b2dcd999c42cde7ccfaf16f6d14352e270b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7000b827bf3f8ecdeea24f30e226668727d72277d57269eb91d3337a2240de21
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5031F132A00625BBDB11DB68CD42B5DBBE8AF10750F108225BA05AB281E670ED108BD0
                                                                                                                                                                                                  Function 00AD5ADF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 91processCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 00AD5B4F
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 00AD5B59
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 00AD5BA2
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 00AD5BAF
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseHandle$CreateErrorLastProcess
                                                                                                                                                                                                  • String ID: "%ls" %ls$D$c:\agent\_work\36\s\wix\src\libs\dutil\procutil.cpp
                                                                                                                                                                                                  • API String ID: 161867955-4290592431
                                                                                                                                                                                                  • Opcode ID: ce7754d19ce1568f02a33a68c873fd203568fdf8285ba89f3d29a136d2eddc98
                                                                                                                                                                                                  • Instruction ID: f6c124d581d9497165d85b3a86f336052f540569dceded6f9e3a9c6a3230c21a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ce7754d19ce1568f02a33a68c873fd203568fdf8285ba89f3d29a136d2eddc98
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8212F76D0161AABDF11DFE4CD45AAEBBB8FF04754F110527E902BB250E6709E00CAA1
                                                                                                                                                                                                  Function 00ABEE3D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 86synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,76F930B0,00000000,?,?,?,00ABF139,?), ref: 00ABEE5C
                                                                                                                                                                                                  • ReleaseMutex.KERNEL32(?,?,?,00ABF139,?), ref: 00ABEE70
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00ABEEB5
                                                                                                                                                                                                  • ReleaseMutex.KERNEL32(?), ref: 00ABEEC8
                                                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 00ABEED1
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get message from netfx chainer., xrefs: 00ABEEF2
                                                                                                                                                                                                  • Failed to send files in use message from netfx chainer., xrefs: 00ABEF15
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: MutexObjectReleaseSingleWait$Event
                                                                                                                                                                                                  • String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
                                                                                                                                                                                                  • API String ID: 2608678126-3424578679
                                                                                                                                                                                                  • Opcode ID: 91802630a13ba06945e6d28fbf31c68d0b5071545ddbe9013f6a9796a4069011
                                                                                                                                                                                                  • Instruction ID: a74b1813bad8cf36198c074c2dc5df50b4ba645889fdab52b081978018de110c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 91802630a13ba06945e6d28fbf31c68d0b5071545ddbe9013f6a9796a4069011
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F331B13290461ABFCF01DFA4CC45EEEBBBCBF15321F148266F511A62A2C775E9509B90
                                                                                                                                                                                                  Function 00A9B899 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A9B8B2
                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,00A9C5BD,00000100,000002C0,000002C0,00000100), ref: 00A9B8D2
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A9C5BD,00000100,000002C0,000002C0,00000100), ref: 00A9B8DD
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed while searching directory search: %ls, for path: %ls, xrefs: 00A9B933
                                                                                                                                                                                                  • Failed to set directory search path variable., xrefs: 00A9B90E
                                                                                                                                                                                                  • Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 00A9B949
                                                                                                                                                                                                  • Failed to format variable string., xrefs: 00A9B8BD
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AttributesErrorFileLastOpen@16
                                                                                                                                                                                                  • String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
                                                                                                                                                                                                  • API String ID: 1811509786-2966038646
                                                                                                                                                                                                  • Opcode ID: 25eeee88c8a9bca2db19683f405d87bf53f0ed3a0ac087341efced72a81f5b15
                                                                                                                                                                                                  • Instruction ID: f8dd432eb62a6c161d43884c2a41a318da801977aaa9a0d6c10725678d1a604f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25eeee88c8a9bca2db19683f405d87bf53f0ed3a0ac087341efced72a81f5b15
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E1113B37F61135B7CF126B98DF02B9D7BA5AF10360F200211FD15761A1C7319E10A6E5
                                                                                                                                                                                                  Function 00A9BA4E Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 71COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A9BA67
                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,00A9C595,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 00A9BA87
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A9C595,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00A9BA92
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • File search: %ls, did not find path: %ls, xrefs: 00A9BAF6
                                                                                                                                                                                                  • Failed to format variable string., xrefs: 00A9BA72
                                                                                                                                                                                                  • Failed while searching file search: %ls, for path: %ls, xrefs: 00A9BAC0
                                                                                                                                                                                                  • Failed to set variable to file search path., xrefs: 00A9BAEA
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AttributesErrorFileLastOpen@16
                                                                                                                                                                                                  • String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
                                                                                                                                                                                                  • API String ID: 1811509786-3425311760
                                                                                                                                                                                                  • Opcode ID: 3f7587f046b1d3a90b8d1eb5dcb79e69b1748e9aed319253227becc0fb5186c9
                                                                                                                                                                                                  • Instruction ID: 55a3e7fb1f31dc9c69442db2a5c77ea55b20d0dbc2aeb884f276af408a74d7da
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f7587f046b1d3a90b8d1eb5dcb79e69b1748e9aed319253227becc0fb5186c9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3811E737F51134B7CF12A799DF02EADBAA5AF107A0F200211F8017A190D7719E50A6E1
                                                                                                                                                                                                  Function 00AAEBE5 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000493E0,00000000,?,?,00AAF009,00000000,?,?,00AAE48F,?,?,?,?,?,00A9712C), ref: 00AAEBF7
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00AAF009,00000000,?,?,00AAE48F,?,?,?,?,?,00A9712C,?,?,?), ref: 00AAEC01
                                                                                                                                                                                                  • GetExitCodeThread.KERNEL32(?,?,?,?,00AAF009,00000000,?,?,00AAE48F,?,?,?,?,?,00A9712C,?), ref: 00AAEC3D
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00AAF009,00000000,?,?,00AAE48F,?,?,?,?,?,00A9712C,?,?,?), ref: 00AAEC47
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to wait for cache thread to terminate., xrefs: 00AAEC2F
                                                                                                                                                                                                  • Failed to get cache thread exit code., xrefs: 00AAEC75
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\elevation.cpp, xrefs: 00AAEC25, 00AAEC6B
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$CodeExitObjectSingleThreadWait
                                                                                                                                                                                                  • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$c:\agent\_work\36\s\wix\src\burn\engine\elevation.cpp
                                                                                                                                                                                                  • API String ID: 3686190907-403065229
                                                                                                                                                                                                  • Opcode ID: 21ab3ac6ab41c28db8774441e2c1a2a19b14cd757033ec8f20b5e02462ba217d
                                                                                                                                                                                                  • Instruction ID: f46d7c09407a77dcb0958274e4e72de45217c13500487f026cabaf3d13e600b5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 21ab3ac6ab41c28db8774441e2c1a2a19b14cd757033ec8f20b5e02462ba217d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D701F973B81631779621EB959E09A9B7A98AF01BB1F010215BE42BF1C0E754CD0081E5
                                                                                                                                                                                                  Function 00AA85E6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53synchronizationthreadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,00AA8B21,?,?,00000000,crypt32.dll,00000000,00000001), ref: 00AA85F3
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AA8B21,?,?,00000000,crypt32.dll,00000000,00000001), ref: 00AA85FD
                                                                                                                                                                                                  • GetExitCodeThread.KERNEL32(00000001,00000000,?,00AA8B21,?,?,00000000,crypt32.dll,00000000,00000001), ref: 00AA863C
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AA8B21,?,?,00000000,crypt32.dll,00000000,00000001), ref: 00AA8646
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to wait for cache thread to terminate., xrefs: 00AA862E
                                                                                                                                                                                                  • Failed to get cache thread exit code., xrefs: 00AA8677
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\core.cpp, xrefs: 00AA8624, 00AA866D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$CodeExitObjectSingleThreadWait
                                                                                                                                                                                                  • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$c:\agent\_work\36\s\wix\src\burn\engine\core.cpp
                                                                                                                                                                                                  • API String ID: 3686190907-1959897714
                                                                                                                                                                                                  • Opcode ID: 23232e99061d5087fd02f2534e74938ad3692fab148daa6c0acdb3221324ce87
                                                                                                                                                                                                  • Instruction ID: 8c4691c2448d752076b54ed7038f594af86e82dd7e335177acc4d81a3f580c3f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 23232e99061d5087fd02f2534e74938ad3692fab148daa6c0acdb3221324ce87
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F411AD70741246FBEB00EFA5DE06BAE77F8AB11744F10012AB905EB1E0DF79CA009B65
                                                                                                                                                                                                  Function 00AAC896 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 131COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32(00A9714F,000000FF,00A9710B,00AA944A,00A97083,00000000,?), ref: 00AAC987
                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,00A9714F,000000FF,00A9710B,00AA944A,00A97083,00000000,?), ref: 00AAC9CB
                                                                                                                                                                                                    • Part of subcall function 00AAAED5: _memcmp.LIBVCRUNTIME ref: 00AAAF63
                                                                                                                                                                                                    • Part of subcall function 00AAAED5: _memcmp.LIBVCRUNTIME ref: 00AAAF9D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get signer chain from authenticode certificate., xrefs: 00AAC9F9
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 00AAC95D, 00AAC9AB, 00AAC9EF
                                                                                                                                                                                                  • 0, xrefs: 00AAC903
                                                                                                                                                                                                  • Failed to verify expected payload against actual certificate chain., xrefs: 00AACA0F
                                                                                                                                                                                                  • Failed to get provider state from authenticode certificate., xrefs: 00AAC9B5
                                                                                                                                                                                                  • Failed authenticode verification of payload: %ls, xrefs: 00AAC968
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast_memcmp
                                                                                                                                                                                                  • String ID: 0$Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp
                                                                                                                                                                                                  • API String ID: 3428363238-365119555
                                                                                                                                                                                                  • Opcode ID: 06ab68e38da06d19448ac1be957163f1838ccfddba04ccfb6040d2ee63af0b9f
                                                                                                                                                                                                  • Instruction ID: 5c9bb72d4f5559de29766d1b456a969edae9d022b6945e3f60d161fbe3bdd51a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06ab68e38da06d19448ac1be957163f1838ccfddba04ccfb6040d2ee63af0b9f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4841B5B2D01229ABDB10DFD5C946AAFBBB4AF05760F11021AF901BB381D7749D008BA5
                                                                                                                                                                                                  Function 00AB143E Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 117COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00AB1453
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00AB1560
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • UX requested unknown container with id: %ls, xrefs: 00AB151F
                                                                                                                                                                                                  • Engine is active, cannot change engine state., xrefs: 00AB146D
                                                                                                                                                                                                  • Failed to set source path for container., xrefs: 00AB1545
                                                                                                                                                                                                  • UX denied while trying to set source on embedded payload: %ls, xrefs: 00AB14D5
                                                                                                                                                                                                  • UX requested unknown payload with id: %ls, xrefs: 00AB14BF
                                                                                                                                                                                                  • Failed to set source path for payload., xrefs: 00AB14EF
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                  • String ID: Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
                                                                                                                                                                                                  • API String ID: 3168844106-4121889706
                                                                                                                                                                                                  • Opcode ID: b7fbdc35ab8c0839c50dfabe1dd9a748fd75e5db95110ae3f490ea3cbace429b
                                                                                                                                                                                                  • Instruction ID: 907fc71315a55713af13dd6e997e2e5b4c005ee1b9d1fd99efeda5d2fcae6df3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b7fbdc35ab8c0839c50dfabe1dd9a748fd75e5db95110ae3f490ea3cbace429b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6331E372A00251BB8B21DB6DCC56EDBB7FCAF947207558216F80AEB342DB75ED008790
                                                                                                                                                                                                  Function 00A98EFF Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 98stringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000), ref: 00A98F12
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to append escape sequence., xrefs: 00A98FA5
                                                                                                                                                                                                  • Failed to copy string., xrefs: 00A98FC6
                                                                                                                                                                                                  • []{}, xrefs: 00A98F3C
                                                                                                                                                                                                  • Failed to format escape sequence., xrefs: 00A98FAC
                                                                                                                                                                                                  • Failed to append characters., xrefs: 00A98F9E
                                                                                                                                                                                                  • Failed to allocate buffer for escaped string., xrefs: 00A98F29
                                                                                                                                                                                                  • [\%c], xrefs: 00A98F71
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: lstrlen
                                                                                                                                                                                                  • String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
                                                                                                                                                                                                  • API String ID: 1659193697-3250950999
                                                                                                                                                                                                  • Opcode ID: 7ad3d53cfeb035151d4b051b79bed3438ebead0ff4949ae674b8043d581effce
                                                                                                                                                                                                  • Instruction ID: 888fa11ec056d916c0c3a36a30c155ebad9aec4d9c8528cd57d659066eb71117
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ad3d53cfeb035151d4b051b79bed3438ebead0ff4949ae674b8043d581effce
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62212833B08229BBCF119694DD46FDF76F9AB01720F210516FA01B6140DFB89E409390
                                                                                                                                                                                                  Function 00AB777E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 206COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000000,00ADE500,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,00AB8372,?,00000001,?,00000000), ref: 00AB77E7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to plan action for target product., xrefs: 00AB7892
                                                                                                                                                                                                  • Failed to copy target product code., xrefs: 00AB7918
                                                                                                                                                                                                  • Failed grow array of ordered patches., xrefs: 00AB7880
                                                                                                                                                                                                  • Failed to insert execute action., xrefs: 00AB783C
                                                                                                                                                                                                  • feclient.dll, xrefs: 00AB77DD, 00AB7905
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                                                  • String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
                                                                                                                                                                                                  • API String ID: 1825529933-3477540455
                                                                                                                                                                                                  • Opcode ID: 3b58a3084ecf597f4248f72e2d9973122b72a19be497d26831eacfe3edc4c49f
                                                                                                                                                                                                  • Instruction ID: ba281119a36301316f286ed615bd12f2ed6916a3c04ffaec8e8ca6bac7c72dfc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b58a3084ecf597f4248f72e2d9973122b72a19be497d26831eacfe3edc4c49f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 698115B560434AAFCB15CF98C884EAA77A9BF48324F118A69FC159B352D770EC51CF90
                                                                                                                                                                                                  Function 00ABADD0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 149COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,00AA8D42,000000B8,0000001C,00000100), ref: 00ABADFB
                                                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,00ADE4B8,000000FF,?,?,?,00AA8D42,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 00ABAE85
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • comres.dll, xrefs: 00ABAF07
                                                                                                                                                                                                  • BA aborted detect forward compatible bundle., xrefs: 00ABAEEF
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\detect.cpp, xrefs: 00ABAEE5
                                                                                                                                                                                                  • Failed to initialize update bundle., xrefs: 00ABAF28
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                                                  • String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$c:\agent\_work\36\s\wix\src\burn\engine\detect.cpp$comres.dll
                                                                                                                                                                                                  • API String ID: 1825529933-3247864867
                                                                                                                                                                                                  • Opcode ID: 15fe90c332cc07f91ff05e3e9c0ba8096e25a9e6531ab6944de591ed1af3a401
                                                                                                                                                                                                  • Instruction ID: ddfa978934fb45a08316832486cad518a09d16ac63a85d7e80caf92e85fc78d4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 15fe90c332cc07f91ff05e3e9c0ba8096e25a9e6531ab6944de591ed1af3a401
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C51AD71600211BFDF169FA4CC81EEAB7BAFF15310F144258F9159A2A6C772EC60CBA1
                                                                                                                                                                                                  Function 00AAF0D7 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000001,00ADE500,?,00000001,000000FF,?,?,00000000,00000000,00000001,00000000,?,00AA9106), ref: 00AAF20D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to connect to elevated child process., xrefs: 00AAF1F6
                                                                                                                                                                                                  • Failed to elevate., xrefs: 00AAF1EF
                                                                                                                                                                                                  • UX aborted elevation requirement., xrefs: 00AAF115
                                                                                                                                                                                                  • Failed to create pipe and cache pipe., xrefs: 00AAF15D
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\elevation.cpp, xrefs: 00AAF10B
                                                                                                                                                                                                  • Failed to create pipe name and client token., xrefs: 00AAF141
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                                  • String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$c:\agent\_work\36\s\wix\src\burn\engine\elevation.cpp
                                                                                                                                                                                                  • API String ID: 2962429428-2894792899
                                                                                                                                                                                                  • Opcode ID: b1b8bb3d7ef268eb414a8e6b4e9a0dd7fe3de474060d8daa1594052fdfedad86
                                                                                                                                                                                                  • Instruction ID: e8923494eead0c4953e1a9a028f9d6e6cef6cbbacf5230e341a97a373ba6ba81
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1b8bb3d7ef268eb414a8e6b4e9a0dd7fe3de474060d8daa1594052fdfedad86
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46313B72A45722FEEB19A2A4CD46FEF76ACAF01770F100326FA05BB1C1DB619D0046A4
                                                                                                                                                                                                  Function 00AD54A4 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 122COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 00AD54E8
                                                                                                                                                                                                  • GetComputerNameW.KERNEL32(?,?), ref: 00AD5540
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • --- logging level: %hs ---, xrefs: 00AD5600
                                                                                                                                                                                                  • Executable: %ls v%d.%d.%d.%d, xrefs: 00AD559C
                                                                                                                                                                                                  • Computer : %ls, xrefs: 00AD55AE
                                                                                                                                                                                                  • === Logging started: %ls ===, xrefs: 00AD556B
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Name$ComputerFileModule
                                                                                                                                                                                                  • String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
                                                                                                                                                                                                  • API String ID: 2577110986-3153207428
                                                                                                                                                                                                  • Opcode ID: 02c26768a820d900f486369c91822b8cdf0f5b7ec905fb09762fd5c7eaad83c1
                                                                                                                                                                                                  • Instruction ID: 75072f447a89c49bb00d0b7cf00f9e5a55f7d8b0bfe85a9711e539595e7be055
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 02c26768a820d900f486369c91822b8cdf0f5b7ec905fb09762fd5c7eaad83c1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 114162B2E001189BDB21EFB8DD45EFA77BDEB54300F4041AAF606E3251D6309E858B64
                                                                                                                                                                                                  Function 00ADCAC2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A9582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00AFEBD4,00000000,?,00AD8E2A,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A95840
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000001,00000001,crypt32.dll,00000000,00000001,00ADE500,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 00ADCB9A
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,crypt32.dll,00000000,00000001,00ADE500,00000000,00000001,00000000,00020019), ref: 00ADCBD5
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000,00000000,crypt32.dll), ref: 00ADCBF1
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,crypt32.dll), ref: 00ADCBFE
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,crypt32.dll), ref: 00ADCC0B
                                                                                                                                                                                                    • Part of subcall function 00A9588F: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00ADCB87,00000001), ref: 00A958A7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Close$InfoOpenQuery
                                                                                                                                                                                                  • String ID: crypt32.dll
                                                                                                                                                                                                  • API String ID: 796878624-1661610138
                                                                                                                                                                                                  • Opcode ID: 82fc510aaca9be01c65ee2d4fd52c52e1d0152f87517cf38888a0201e4aa972c
                                                                                                                                                                                                  • Instruction ID: c87e05a30081c3f63089db2f78f705e537d1e4f7f1087f698ed7efaf0d38e99c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 82fc510aaca9be01c65ee2d4fd52c52e1d0152f87517cf38888a0201e4aa972c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF412275C0122ABFCF12AFE4DD828EDFA79EF04764B55416BE901B6221D3318E45EB90
                                                                                                                                                                                                  Function 00AD56CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00AFF764,00000000,?,?,?,00AA5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00A971C0,?), ref: 00AD56DD
                                                                                                                                                                                                  • CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,00AFF75C,?,00AA5ECA,00000000,Setup), ref: 00AD5781
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AA5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00A971C0,?,?,?), ref: 00AD5791
                                                                                                                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00AA5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00A971C0,?), ref: 00AD57CB
                                                                                                                                                                                                    • Part of subcall function 00A94832: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00A9497C
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00AFF764,?,?,00AFF75C,?,00AA5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00A971C0,?), ref: 00AD5824
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\logutil.cpp, xrefs: 00AD57B0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\logutil.cpp
                                                                                                                                                                                                  • API String ID: 4111229724-4006286326
                                                                                                                                                                                                  • Opcode ID: 71e174517f1a165e555abc9344a34f50d911522ceca1f837234eaf3317d12c7c
                                                                                                                                                                                                  • Instruction ID: 3c4f5f522cbaf156c4426cc3b4d55cfdff1391f4d132e9662ad561767e0f3883
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 71e174517f1a165e555abc9344a34f50d911522ceca1f837234eaf3317d12c7c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC314432E01629EFDF11EFF4DD85E6E76A9AF00750B144526BA02A7261D730CD01EBA0
                                                                                                                                                                                                  Function 00A95E38 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116stringregistryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,00000000,00000000,BundleUpgradeCode), ref: 00A95E74
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,00000002,00000001,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 00A95ED6
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 00A95EE2
                                                                                                                                                                                                  • RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,?,00000001,?,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 00A95F25
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • BundleUpgradeCode, xrefs: 00A95E41
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp, xrefs: 00A95F4D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: lstrlen$Value
                                                                                                                                                                                                  • String ID: BundleUpgradeCode$c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp
                                                                                                                                                                                                  • API String ID: 198323757-3313191704
                                                                                                                                                                                                  • Opcode ID: 637e3097fc90e2e0503ef3c481735df5a7aa8918bf4197e816e856106ff96f59
                                                                                                                                                                                                  • Instruction ID: e9158be204296d128a528d51bd0553917b4fccd71fcde4e6a4cefab4d9ace4a3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 637e3097fc90e2e0503ef3c481735df5a7aa8918bf4197e816e856106ff96f59
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B319576E0162AAFCF22DFA8CD869AEBBB9FF44750F050555F911AB210D730DD118BA0
                                                                                                                                                                                                  Function 00AAEF01 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109threadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00AACA2F,00000001,00000000,00000000), ref: 00AAEF8D
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00A9712C,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00AAEF99
                                                                                                                                                                                                    • Part of subcall function 00AAEBE5: WaitForSingleObject.KERNEL32(?,000493E0,00000000,?,?,00AAF009,00000000,?,?,00AAE48F,?,?,?,?,?,00A9712C), ref: 00AAEBF7
                                                                                                                                                                                                    • Part of subcall function 00AAEBE5: GetLastError.KERNEL32(?,?,00AAF009,00000000,?,?,00AAE48F,?,?,?,?,?,00A9712C,?,?,?), ref: 00AAEC01
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,?,?,00AAE48F,?,?,?,?,?,00A9712C,?,?,?,?), ref: 00AAF01A
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to create elevated cache thread., xrefs: 00AAEFC7
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\elevation.cpp, xrefs: 00AAEFBD
                                                                                                                                                                                                  • Failed to pump messages in child process., xrefs: 00AAEFF1
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
                                                                                                                                                                                                  • String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$c:\agent\_work\36\s\wix\src\burn\engine\elevation.cpp
                                                                                                                                                                                                  • API String ID: 3606931770-3460033527
                                                                                                                                                                                                  • Opcode ID: 70e77ba3cb0209157a7374b04596a07c0a32cb027fddc06dc3219ddbd938544d
                                                                                                                                                                                                  • Instruction ID: 6bb82e823afd901ed5873e89d151dd7f49c22986153d9db2e4434b921bb9eb3a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 70e77ba3cb0209157a7374b04596a07c0a32cb027fddc06dc3219ddbd938544d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E41E5B6D01229AF8B45DFA9D9819DEBBF4FF09710F10412AF919E7340E770A9418FA4
                                                                                                                                                                                                  Function 00A9902C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 91COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,00A975EF,00000100,00000100,00000000,?,00000001,00000000,00000100), ref: 00A9903E
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,00A975EF,00000100,00000100,00000000,?,00000001,00000000,00000100), ref: 00A9911D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to format value '%ls' of variable: %ls, xrefs: 00A990E7
                                                                                                                                                                                                  • Failed to get variable: %ls, xrefs: 00A9907F
                                                                                                                                                                                                  • Failed to get value as string for variable: %ls, xrefs: 00A9910C
                                                                                                                                                                                                  • *****, xrefs: 00A990D9, 00A990E6
                                                                                                                                                                                                  • Failed to get unformatted string., xrefs: 00A990AE
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                  • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
                                                                                                                                                                                                  • API String ID: 3168844106-2873099529
                                                                                                                                                                                                  • Opcode ID: 282935ce4bd07a62bf7a226d183e0a7c6cb712548d4151b95ecbed8673eb03e1
                                                                                                                                                                                                  • Instruction ID: 318653763a10780759cb94ec592ce527c029b54ac5e65453d52fba13056c35b1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 282935ce4bd07a62bf7a226d183e0a7c6cb712548d4151b95ecbed8673eb03e1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9F31C032A0062AFBCF219F58CD46F9E7BB8BF10324F104219F9146A150C771EA909BD1
                                                                                                                                                                                                  Function 00AAAA40 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,?,?,00000000,00000000,?,?,?), ref: 00AAAA8B
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AAAA95
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 00AAAAF5
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 00AAAAB9
                                                                                                                                                                                                  • Failed to initialize ACL., xrefs: 00AAAAC3
                                                                                                                                                                                                  • Failed to allocate administrator SID., xrefs: 00AAAA71
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AttributesErrorFileInitializeLast
                                                                                                                                                                                                  • String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp
                                                                                                                                                                                                  • API String ID: 669721577-2801953210
                                                                                                                                                                                                  • Opcode ID: 33092b4e0d24fb03306a118c2d4f12b285bca4352b81112c362a61fdcd0cf1e1
                                                                                                                                                                                                  • Instruction ID: 1ac85870da3f6242b15aa21fde76365d9925b62046af2e57329b8acdc9657efc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 33092b4e0d24fb03306a118c2d4f12b285bca4352b81112c362a61fdcd0cf1e1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD21B732E41214BBDB21EBD98E46F9FB7F9AB51B50F118126B901BB2C0E7749D01C6A1
                                                                                                                                                                                                  Function 00A91C2B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,00AA5CE7,00000001,feclient.dll,?,00000000,?,?,?,00A967E0), ref: 00A91C66
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00AA5CE7,00000001,feclient.dll,?,00000000,?,?,?,00A967E0,?,?,00ADE488,?,00000001), ref: 00A91C72
                                                                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,00AA5CE7,00000001,feclient.dll,?,00000000,?,?,?,00A967E0,?), ref: 00A91CAD
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00AA5CE7,00000001,feclient.dll,?,00000000,?,?,?,00A967E0,?,?,00ADE488,?,00000001), ref: 00A91CB7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • crypt32.dll, xrefs: 00A91C2F
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\dirutil.cpp, xrefs: 00A91CDB
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CurrentDirectoryErrorLast
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\dirutil.cpp$crypt32.dll
                                                                                                                                                                                                  • API String ID: 152501406-854554080
                                                                                                                                                                                                  • Opcode ID: d3e0ea9325e887c39c996a9c0480b161f3590faa7758f94d225c6bd2749f63c4
                                                                                                                                                                                                  • Instruction ID: f35cf363fd91ad4b7a7df921a20caea0db2b7d69bd1ccaec8c8f40816b2727e3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d3e0ea9325e887c39c996a9c0480b161f3590faa7758f94d225c6bd2749f63c4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C9116A77B81637A79F21DBD98D85A6AB6E8AF147907110566BE01EB340F730DD0086E0
                                                                                                                                                                                                  Function 00AB2761 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Unexpected call to CabWrite()., xrefs: 00AB2794
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00AB27FE
                                                                                                                                                                                                  • Failed to write during cabinet extraction., xrefs: 00AB2808
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastWrite_memcpy_s
                                                                                                                                                                                                  • String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 1970631241-2015724686
                                                                                                                                                                                                  • Opcode ID: ca42a3ab808b216b258f26f3706511f928a4304e1c15c6152a566716e3fa0779
                                                                                                                                                                                                  • Instruction ID: 3686afaa6a044807e4d2f1fa774e1769cfe79c850050d44f31a382b708834524
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ca42a3ab808b216b258f26f3706511f928a4304e1c15c6152a566716e3fa0779
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7121F376640141ABCB00DFADD984EAA77FCFF88724B11016AFE14CB252E671DD00DB60
                                                                                                                                                                                                  Function 00ACDA67 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00ACDB74,00000021,00ACDCCE,00000100,00000000,00000000,?,00ACDCCE,00000021,FlsSetValue,00AF675C,00AF6764,00000100), ref: 00ACDB28
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                  • API String ID: 3664257935-537541572
                                                                                                                                                                                                  • Opcode ID: e92ed4342e9d4b04e7cda1009aa2ffcb91e31bb188363ed448c3c524bf6a8ab8
                                                                                                                                                                                                  • Instruction ID: 349845ffd87c3bb73685f969bfc3d2ef0c252680c85ea41180de62098d555f9f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e92ed4342e9d4b04e7cda1009aa2ffcb91e31bb188363ed448c3c524bf6a8ab8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C210A32A01211ABCB21DFA0EC45F6AB768EF417B0F270139F916A7290DB70EE01C6D0
                                                                                                                                                                                                  Function 00A9B7DC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A9B7F5
                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,00A9C5C6,00000100,000002C0,000002C0,00000100), ref: 00A9B80A
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A9C5C6,00000100,000002C0,000002C0,00000100), ref: 00A9B817
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to set variable., xrefs: 00A9B87C
                                                                                                                                                                                                  • Failed while searching directory search: %ls, for path: %ls, xrefs: 00A9B857
                                                                                                                                                                                                  • Failed to format variable string., xrefs: 00A9B800
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AttributesErrorFileLastOpen@16
                                                                                                                                                                                                  • String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
                                                                                                                                                                                                  • API String ID: 1811509786-402580132
                                                                                                                                                                                                  • Opcode ID: 0767adfb45ccf3994a9f1e286033d4b4e49e60919f2d131533ad04b1b20c41cb
                                                                                                                                                                                                  • Instruction ID: b83ee5adc3cdd0b5a5e308e959a7eb255eb3b3bf1f8e438f2e0b9db789d37604
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0767adfb45ccf3994a9f1e286033d4b4e49e60919f2d131533ad04b1b20c41cb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CC11DA37B20535B7CF115678EE06BAE76EDAF14360F218225FC12AA190D7719D0096E1
                                                                                                                                                                                                  Function 00AB2828 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69timeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00AB2895
                                                                                                                                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00AB28A7
                                                                                                                                                                                                  • SetFileTime.KERNEL32(?,?,?,?), ref: 00AB28BA
                                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00AB248A,?,?), ref: 00AB28C9
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00AB2864
                                                                                                                                                                                                  • Invalid operation for this state., xrefs: 00AB286E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Time$File$CloseDateHandleLocal
                                                                                                                                                                                                  • String ID: Invalid operation for this state.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 609741386-1856606289
                                                                                                                                                                                                  • Opcode ID: 50a4ae016e11b019e4daa730a30e84b242e16017096731529c12d3d888bdf73c
                                                                                                                                                                                                  • Instruction ID: 8e068edf244c48f7cb1a444a853f5489f2fe827b2664b18041420f8c216cb738
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 50a4ae016e11b019e4daa730a30e84b242e16017096731529c12d3d888bdf73c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C21937290462ABB8B14DFE9DD089EA7BBCFF04750710425BF411DA591D770D951CBA0
                                                                                                                                                                                                  Function 00AA6306 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  • _memcpy_s.LIBCMT ref: 00AA6357
                                                                                                                                                                                                  • _memcpy_s.LIBCMT ref: 00AA636A
                                                                                                                                                                                                  • _memcpy_s.LIBCMT ref: 00AA6385
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _memcpy_s$Heap$AllocateProcess
                                                                                                                                                                                                  • String ID: Failed to allocate memory for message.$c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp$crypt32.dll
                                                                                                                                                                                                  • API String ID: 886498622-4208266268
                                                                                                                                                                                                  • Opcode ID: 2dd0c136c2445f2ccf0ae6611e6e743c16093a177b5c085d3b8b945df80289ed
                                                                                                                                                                                                  • Instruction ID: aabb987df498654a7f7598a4743064c57da5a0ae25b0970345c3d3cfa24031c4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2dd0c136c2445f2ccf0ae6611e6e743c16093a177b5c085d3b8b945df80289ed
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF1191B760020EAFDB019EA5DD82DEBB3ACAF04700B044516FA109F141DB75E6508BE0
                                                                                                                                                                                                  Function 00AD5BCA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,00A97F43,00000000), ref: 00AD5BDC
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00AD5BE3
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00A97F43,00000000), ref: 00AD5C02
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • kernel32, xrefs: 00AD5BD6
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\procutil.cpp, xrefs: 00AD5C23
                                                                                                                                                                                                  • IsWow64Process2, xrefs: 00AD5BCF
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressErrorHandleLastModuleProc
                                                                                                                                                                                                  • String ID: IsWow64Process2$c:\agent\_work\36\s\wix\src\libs\dutil\procutil.cpp$kernel32
                                                                                                                                                                                                  • API String ID: 4275029093-3531368989
                                                                                                                                                                                                  • Opcode ID: c948fac95dcf09c83f0701ff636969788ce01430fc28b994859895af1422efbe
                                                                                                                                                                                                  • Instruction ID: 4561f27872ed9b17f9fb131d649efc25e41c8c7e2a78d17e336b71cd4acbcf3e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c948fac95dcf09c83f0701ff636969788ce01430fc28b994859895af1422efbe
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23F02B72F51735778720A7E58D0AE5F7E58FF24B90B014602BD46AF240F674DD0186D0
                                                                                                                                                                                                  Function 00AAA902 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 121sleepCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • Sleep.KERNEL32(000007D0,00000000,00000000), ref: 00AAA96E
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                                                  • String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
                                                                                                                                                                                                  • API String ID: 3472027048-398165853
                                                                                                                                                                                                  • Opcode ID: f0d5a143ada4077acbeadcc0b79722d0ff0b4499b762268118db76f90d62b0f1
                                                                                                                                                                                                  • Instruction ID: 11ac47df816db5b30546408134dae587ca360abca4bcf682542eb9a13cddddde
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f0d5a143ada4077acbeadcc0b79722d0ff0b4499b762268118db76f90d62b0f1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B431E472A00365BBEB12A6648E42FBF72EC9F21790F160426F905BB291D7748D00D6A2
                                                                                                                                                                                                  Function 00AB05D1 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • DefWindowProcW.USER32(?,00000082,?,?), ref: 00AB0600
                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00AB060F
                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EB,?), ref: 00AB0623
                                                                                                                                                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 00AB0633
                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EB), ref: 00AB064D
                                                                                                                                                                                                  • PostQuitMessage.USER32(00000000), ref: 00AB06AC
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Window$Long$Proc$MessagePostQuit
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3812958022-0
                                                                                                                                                                                                  • Opcode ID: 5f1ac36a830c72f83ba1699b9e1330c6b0249bf7064ab50b6072ad62fc073694
                                                                                                                                                                                                  • Instruction ID: 8fd8a7194e30a3afc9fb62c9487331a58e6b0fef7dc2e7081997c5677fdba746
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5f1ac36a830c72f83ba1699b9e1330c6b0249bf7064ab50b6072ad62fc073694
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA21AC72104208AFDF01AFA8DC59EAA3B69EF89360F144219FA069F1A1C771DD21DB60
                                                                                                                                                                                                  Function 00AC312E Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00AC3125,00AC37FC), ref: 00AC313C
                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00AC314A
                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AC3163
                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00AC3125,00AC37FC), ref: 00AC31B5
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                  • Opcode ID: 7da83130f1b3f1b0cb93610f5c90532e6834257cbf2f1483e55575af62a564a3
                                                                                                                                                                                                  • Instruction ID: f0f680638144fb52539bef15c44f321c8dcdd586c4d6fdaf9f03ba0d4b9d95c2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7da83130f1b3f1b0cb93610f5c90532e6834257cbf2f1483e55575af62a564a3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4001473321A3115EAF2AA7F57D85F3A2765EF02BB9726C32EF524440F0EF514E029144
                                                                                                                                                                                                  Function 00AAE48F Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 164synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to save state., xrefs: 00AAE557
                                                                                                                                                                                                  • Unexpected elevated message sent to child process, msg: %u, xrefs: 00AAE68A
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\elevation.cpp, xrefs: 00AAE67E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseHandleMutexRelease
                                                                                                                                                                                                  • String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$c:\agent\_work\36\s\wix\src\burn\engine\elevation.cpp
                                                                                                                                                                                                  • API String ID: 4207627910-1385235812
                                                                                                                                                                                                  • Opcode ID: 8dce53d25863c10edde4ee11259fda309f76902246f0b88c12f50814ab00fc7b
                                                                                                                                                                                                  • Instruction ID: 9be6659634b48174b5564f08a4244cdcb0391799092069be1298f5a420043998
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8dce53d25863c10edde4ee11259fda309f76902246f0b88c12f50814ab00fc7b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A61A37A100510FFCB169F84CE01C56BBB2FF19720715C959FA9A5B6B2C732E921EB41
                                                                                                                                                                                                  Function 00A95ABD Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 147registrystringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 00A95AE5
                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,00AA8D17,00000100,000000B0,00000088,00000410,000002C0), ref: 00A95B1C
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 00A95C0E
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • BundleUpgradeCode, xrefs: 00A95AC4
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp, xrefs: 00A95B5F
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: QueryValue$lstrlen
                                                                                                                                                                                                  • String ID: BundleUpgradeCode$c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp
                                                                                                                                                                                                  • API String ID: 3790715954-3313191704
                                                                                                                                                                                                  • Opcode ID: 9622c37c7835a801c586465b4601b084dcbd424e9c8b977884fc0293bd0dd24b
                                                                                                                                                                                                  • Instruction ID: 98ed93121585baa72eeb17f0d7b76a54e617c96035eaff19f6e81f995a03083a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9622c37c7835a801c586465b4601b084dcbd424e9c8b977884fc0293bd0dd24b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE41A435F00A1AEBCF26DFA9D886AAEB7F9EF04710F154569F901AB210D631DD41CB90
                                                                                                                                                                                                  Function 00AD998E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A93FE8: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00AAA3CE,00000000,00000000,00000000,00000000,00000000), ref: 00A94000
                                                                                                                                                                                                    • Part of subcall function 00A93FE8: GetLastError.KERNEL32(?,?,?,00AAA3CE,00000000,00000000,00000000,00000000,00000000), ref: 00A9400A
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00AD9248,?,?,?,?,?,?,?,00010000,?), ref: 00AD99F7
                                                                                                                                                                                                  • WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,00AD9248,?,?,?,?), ref: 00AD9A49
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AD9248,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 00AD9A8F
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AD9248,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 00AD9AB5
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\dlutil.cpp, xrefs: 00AD9AD9
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLast$Write$Pointer
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\dlutil.cpp
                                                                                                                                                                                                  • API String ID: 133221148-666089989
                                                                                                                                                                                                  • Opcode ID: 6c46cd4bc3c847e19404f6702ac9f91d3d7f0d4028d6bcacedf9739637d390e6
                                                                                                                                                                                                  • Instruction ID: e536d1f652987ec0460545a83e77b7d1633f14f3870695c8945c9205cdfd942a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6c46cd4bc3c847e19404f6702ac9f91d3d7f0d4028d6bcacedf9739637d390e6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C5418E73A0021ABBEB21CF94CD44BEB7BA8EF04794F140216BD01A62A0D770DD51CBA0
                                                                                                                                                                                                  Function 00A92F02 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00AD5196,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00AD5196,00AB2E9E,?,00000000), ref: 00A92F48
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00AD5196,00AB2E9E,?,00000000,0000FDE9,?,00AB2E9E), ref: 00A92F54
                                                                                                                                                                                                    • Part of subcall function 00A95369: GetProcessHeap.KERNEL32(00000000,000001C7,?,00A92CA9,000001C7,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95371
                                                                                                                                                                                                    • Part of subcall function 00A95369: HeapSize.KERNEL32(00000000,?,00A92CA9,000001C7,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95378
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\strutil.cpp, xrefs: 00A92F78
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\strutil.cpp
                                                                                                                                                                                                  • API String ID: 3662877508-3940310746
                                                                                                                                                                                                  • Opcode ID: 50bd22b46dca9f800cb969e1ac72797fe8defcbb702f83a041d831c7ba8fe51d
                                                                                                                                                                                                  • Instruction ID: ad49d8192427fcead6810658460d46dad20e8f9f095d58535659bbe0ec6795c3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 50bd22b46dca9f800cb969e1ac72797fe8defcbb702f83a041d831c7ba8fe51d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8631C33130021ABFEF119F65CCC5B7677FDAB547A8B104229FA129F2A0EB718D1097A1
                                                                                                                                                                                                  Function 00A938CE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,00A93A1C,00000003,00000001,00000001,000007D0,00000003,00000000,?,00AABCBB,00000001), ref: 00A938EC
                                                                                                                                                                                                  • GetLastError.KERNEL32(00000002,?,00A93A1C,00000003,00000001,00000001,000007D0,00000003,00000000,?,00AABCBB,00000001,000007D0,00000001,00000001,00000003), ref: 00A938FB
                                                                                                                                                                                                  • MoveFileExW.KERNEL32(00000003,00000001,00000000,00000001,00000000,?,00A93A1C,00000003,00000001,00000001,000007D0,00000003,00000000,?,00AABCBB,00000001), ref: 00A93994
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A93A1C,00000003,00000001,00000001,000007D0,00000003,00000000,?,00AABCBB,00000001,000007D0,00000001,00000001,00000003,000007D0), ref: 00A9399E
                                                                                                                                                                                                    • Part of subcall function 00A93B2C: FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 00A93B67
                                                                                                                                                                                                    • Part of subcall function 00A93B2C: FindClose.KERNEL32(00000000,?,00000000), ref: 00A93B73
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 00A939BD
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$ErrorFindLastMove$CloseFirst
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                                                                                                                                                                                  • API String ID: 3479031965-1339450348
                                                                                                                                                                                                  • Opcode ID: ad5aab2d1af1af0116fe3c44d1f357fc3747aa5a81d50d2952bf73074502ca4d
                                                                                                                                                                                                  • Instruction ID: c581258bc2d35c27eebaeba25b56790341e5c98a91b42ec4e3a1b2c8468a0904
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ad5aab2d1af1af0116fe3c44d1f357fc3747aa5a81d50d2952bf73074502ca4d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB310037B41226ABDF315F68CC61B7B76F5AF50BA0F124126FC45AB240D6B18E4186D0
                                                                                                                                                                                                  Function 00ABC868 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,?,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 00ABC8D7
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to extract all payloads from container: %ls, xrefs: 00ABC91B
                                                                                                                                                                                                  • Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 00ABC96C
                                                                                                                                                                                                  • Failed to extract payload: %ls from container: %ls, xrefs: 00ABC960
                                                                                                                                                                                                  • Failed to open container: %ls., xrefs: 00ABC8A9
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                                                  • String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
                                                                                                                                                                                                  • API String ID: 1825529933-3891707333
                                                                                                                                                                                                  • Opcode ID: a6eb628f4772d9ce9f6b362afd858115d8215e4adc81dbcd73653f4003d239eb
                                                                                                                                                                                                  • Instruction ID: 3e5641948197873a310b30420de84ba0f1510beda42a9217abcd8485bc463a2e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a6eb628f4772d9ce9f6b362afd858115d8215e4adc81dbcd73653f4003d239eb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1031A032D00119BBDF11EAE4CD42EDE77BDAF14720F200611FA22BA192E771AA55DB90
                                                                                                                                                                                                  Function 00A93A2B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A93B2C: FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 00A93B67
                                                                                                                                                                                                    • Part of subcall function 00A93B2C: FindClose.KERNEL32(00000000,?,00000000), ref: 00A93B73
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00A93B1E
                                                                                                                                                                                                    • Part of subcall function 00A9582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00AFEBD4,00000000,?,00AD8E2A,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A95840
                                                                                                                                                                                                    • Part of subcall function 00A95ABD: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 00A95AE5
                                                                                                                                                                                                    • Part of subcall function 00A95ABD: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,00AA8D17,00000100,000000B0,00000088,00000410,000002C0), ref: 00A95B1C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseFindQueryValue$FileFirstOpen
                                                                                                                                                                                                  • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
                                                                                                                                                                                                  • API String ID: 3397690329-3978359083
                                                                                                                                                                                                  • Opcode ID: 90fb305cf84d5e5a863e88ab40cd22ee69074600e88bebc63abab8f00e1868fc
                                                                                                                                                                                                  • Instruction ID: c4610fd932129360dc5bcaf47c47ffa6018e36d996799ffdec0a34855844f159
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 90fb305cf84d5e5a863e88ab40cd22ee69074600e88bebc63abab8f00e1868fc
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA31AC33F00219BADF21AF95CC81AAEBBF5EF00790F15816AE901AA555E7719F80CB50
                                                                                                                                                                                                  Function 00AA0CEE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,00AA2323,00000001,00000001,00000001,00AA2323,00000000), ref: 00AA0D66
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,00AA2323,00000001,00000001,00000001,00AA2323,00000000,00000001,00000000,?,00AA2323,00000001), ref: 00AA0D83
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to format key for update registration., xrefs: 00AA0D1C
                                                                                                                                                                                                  • Failed to remove update registration key: %ls, xrefs: 00AA0DAE
                                                                                                                                                                                                  • PackageVersion, xrefs: 00AA0D47
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCompareString
                                                                                                                                                                                                  • String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
                                                                                                                                                                                                  • API String ID: 446873843-3222553582
                                                                                                                                                                                                  • Opcode ID: af8950d2f24cf28bf8771b0fad7727cdf1f982a98ed75efc0f6bbc5b34728725
                                                                                                                                                                                                  • Instruction ID: 25bfa45edbd0b10a1fde7d433b7be9e278ea3215525c8457d83ae636e68491b5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: af8950d2f24cf28bf8771b0fad7727cdf1f982a98ed75efc0f6bbc5b34728725
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95216132D01665BADF12ABB9CD46FAFBEB8EF06764F104265B811A7191D7709A00CB90
                                                                                                                                                                                                  Function 00A936FD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CopyFileW.KERNEL32(00000000,00A96A86,00000000,?,?,00000000,?,00A93818,00000000,00A96A86,00000000,00000000,?,00AAA24E,?,?), ref: 00A93717
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A93818,00000000,00A96A86,00000000,00000000,?,00AAA24E,?,?,00000001,00000003,000007D0,?,?,?), ref: 00A93725
                                                                                                                                                                                                  • CopyFileW.KERNEL32(00000000,00A96A86,00000000,00A96A86,00000000,?,00A93818,00000000,00A96A86,00000000,00000000,?,00AAA24E,?,?,00000001), ref: 00A93797
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A93818,00000000,00A96A86,00000000,00000000,?,00AAA24E,?,?,00000001,00000003,000007D0,?,?,?), ref: 00A937A1
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 00A937C0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CopyErrorFileLast
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                                                                                                                                                                                  • API String ID: 374144340-1339450348
                                                                                                                                                                                                  • Opcode ID: fb9c28eaf195d2fc0bb1a4aab5a400183fdcca404c8531a8c2e7991e04cad3c0
                                                                                                                                                                                                  • Instruction ID: 2c78b2af4d001efd9fb8f918c3791bce876dd126d4b427b7568439b4a124601d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fb9c28eaf195d2fc0bb1a4aab5a400183fdcca404c8531a8c2e7991e04cad3c0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 162192FB741272A7AF31DBE98C84A77B6F8AF51B60B110126FD09DB250D661CE0182E1
                                                                                                                                                                                                  Function 00AA0C06 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 00AA0C41
                                                                                                                                                                                                    • Part of subcall function 00A9383E: SetFileAttributesW.KERNEL32(00ABAD92,00000080,00000000,00ABAD92,000000FF,00000000,?,?,00ABAD92), ref: 00A9386D
                                                                                                                                                                                                    • Part of subcall function 00A9383E: GetLastError.KERNEL32(?,?,00ABAD92), ref: 00A93877
                                                                                                                                                                                                    • Part of subcall function 00A916A9: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,00AA0C8C,00000001,00000000,00000095,00000001,00AA2332,00000095,00000000,swidtag,00000001), ref: 00A916C6
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to format tag folder path., xrefs: 00AA0CAE
                                                                                                                                                                                                  • Failed to allocate regid file path., xrefs: 00AA0CA0
                                                                                                                                                                                                  • Failed to allocate regid folder path., xrefs: 00AA0CA7
                                                                                                                                                                                                  • swidtag, xrefs: 00AA0C50
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AttributesDirectoryErrorFileLastOpen@16Remove
                                                                                                                                                                                                  • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
                                                                                                                                                                                                  • API String ID: 1428973842-4170906717
                                                                                                                                                                                                  • Opcode ID: 13b06eaf76f47f31d4b9426dc844748f2ec65e2a90b197f04bce569da4b3f0dd
                                                                                                                                                                                                  • Instruction ID: d3d7261361dc97ba0cd9b7b4c0ee670e43e287ab86aed1cdccb1fc8df1c4753a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 13b06eaf76f47f31d4b9426dc844748f2ec65e2a90b197f04bce569da4b3f0dd
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23215E32E00518FBCF15AF9ACE41E9DBBB5EF45720F10C2A5F514A72A1DB319A419B50
                                                                                                                                                                                                  Function 00ABA919 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A9582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00AFEBD4,00000000,?,00AD8E2A,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A95840
                                                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 00ABA99D
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,00AA14BA,00000001,00000100,000001B4,00000000), ref: 00ABA9EB
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00ABA93A
                                                                                                                                                                                                  • Failed to open uninstall registry key., xrefs: 00ABA960
                                                                                                                                                                                                  • Failed to enumerate uninstall key for related bundles., xrefs: 00ABA9FA
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCompareOpenString
                                                                                                                                                                                                  • String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                                                                                                                  • API String ID: 2817536665-2531018330
                                                                                                                                                                                                  • Opcode ID: 9c7f3826df81fd4a97daa7f9532493e2afd96d4c82ae163577b0202a4edfc60a
                                                                                                                                                                                                  • Instruction ID: 48a14c59073912cd9779f9185d2c08ac6a0f15d54473017e911d3fda99e577f0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9c7f3826df81fd4a97daa7f9532493e2afd96d4c82ae163577b0202a4edfc60a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D21F332900118FBDF129BA4CC8ABEDBA7DEB10360F250625F4117A0A1D6354E90F781
                                                                                                                                                                                                  Function 00AD7952 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00AD7968
                                                                                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00AD7984
                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00AD7A0B
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00AD7A16
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp, xrefs: 00AD799B
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: StringVariant$AllocClearFreeInit
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp
                                                                                                                                                                                                  • API String ID: 760788290-1984227935
                                                                                                                                                                                                  • Opcode ID: 2a8d1870d428ca06f89bae1ca68135c1b4af8fb91e2991a501f00c17a12d606a
                                                                                                                                                                                                  • Instruction ID: 72ac17cb6f30223838ed2266100baf426ec89d7a7e238d8ba0549679f94e0988
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a8d1870d428ca06f89bae1ca68135c1b4af8fb91e2991a501f00c17a12d606a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C521B536901115EFCB25EBA4C959EAEBBB8EF84754F15015AF906AF320E730DD01CB90
                                                                                                                                                                                                  Function 00ABED5A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00ABEDEF
                                                                                                                                                                                                  • ReleaseMutex.KERNEL32(?), ref: 00ABEE1D
                                                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 00ABEE26
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to allocate buffer., xrefs: 00ABED9E
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\netfxchainer.cpp, xrefs: 00ABED94
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
                                                                                                                                                                                                  • String ID: Failed to allocate buffer.$c:\agent\_work\36\s\wix\src\burn\engine\netfxchainer.cpp
                                                                                                                                                                                                  • API String ID: 944053411-953156932
                                                                                                                                                                                                  • Opcode ID: bc0e0f3ce2e7417e5ebda7eb8d20549eafe5a1126a12a44a8b91bcd5671a0c7e
                                                                                                                                                                                                  • Instruction ID: 848ddbea07f8fef7b7c0f2fb3197902408b28e9a619854e849eb792090951329
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc0e0f3ce2e7417e5ebda7eb8d20549eafe5a1126a12a44a8b91bcd5671a0c7e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AE21A375A00606BFDB00DF68D845AD9B7F9FF48310F108A29F965AB392C7B1E9518B90
                                                                                                                                                                                                  Function 00A9736B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00A9828E,00A9828E,?,00A97301,?,?,00000000), ref: 00A973A7
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A97301,?,?,00000000,?,?,00A9828E,?,00A99C40,?,?,?,?,?), ref: 00A973D6
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • version.dll, xrefs: 00A97399
                                                                                                                                                                                                  • Failed to compare strings., xrefs: 00A97404
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp, xrefs: 00A973FA
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareErrorLastString
                                                                                                                                                                                                  • String ID: Failed to compare strings.$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp$version.dll
                                                                                                                                                                                                  • API String ID: 1733990998-34241861
                                                                                                                                                                                                  • Opcode ID: 6b14ad7b7740fd339c271b8f88346c2010b6a6d7f85696c20eaf7eec60c29c67
                                                                                                                                                                                                  • Instruction ID: 7b1b31b687ba23eeacbc965b9a293b73b08bdc2d82aed7a4bb154040a426422d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6b14ad7b7740fd339c271b8f88346c2010b6a6d7f85696c20eaf7eec60c29c67
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E210432768125ABCB108F9CCD81A5EBBE4BF45760B210319FD21AF2C0D670ED01DAA0
                                                                                                                                                                                                  Function 00AD8F4A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,00AB86A3,00000000,?), ref: 00AD8F60
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00AB86A3,00000000,?,?,?,?,?,?,?,?,?,00AB8AB3,?,?), ref: 00AD8F6E
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,00AB86A3,00000000,?), ref: 00AD8FA8
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00AB86A3,00000000,?,?,?,?,?,?,?,?,?,00AB8AB3,?,?), ref: 00AD8FB2
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ConfigErrorHeapLastQueryService$AllocateProcess
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\svcutil.cpp
                                                                                                                                                                                                  • API String ID: 355237494-1435687125
                                                                                                                                                                                                  • Opcode ID: 03af2566853818034b458a5731daea7e4659573fa5aae6cb040b01e25e678062
                                                                                                                                                                                                  • Instruction ID: e5f0ce08ea7e708ec35e431c4f791c38f3ec868b52794f64e76e0133ee3ba3cd
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03af2566853818034b458a5731daea7e4659573fa5aae6cb040b01e25e678062
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24210536A41134BADB21A7959D09BAF7A79EF54B60F114113FD07AB340EA74CD00D2E1
                                                                                                                                                                                                  Function 00A9B53B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to find variable., xrefs: 00A9B5B7
                                                                                                                                                                                                  • Failed to parse condition '%ls' at position: %u, xrefs: 00A9B57C
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\condition.cpp, xrefs: 00A9B56C, 00A9B5AD
                                                                                                                                                                                                  • Failed to read next symbol., xrefs: 00A9B5E6
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _memcpy_s
                                                                                                                                                                                                  • String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$c:\agent\_work\36\s\wix\src\burn\engine\condition.cpp
                                                                                                                                                                                                  • API String ID: 2001391462-2050487642
                                                                                                                                                                                                  • Opcode ID: fbd367d4fb2b7d33f8b589e8887ba481635d4d995f037fd888a958e80ad29541
                                                                                                                                                                                                  • Instruction ID: 0656d55e6ad12758689c381395b1baa042e03ae333d76254ea073b74e870eb32
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fbd367d4fb2b7d33f8b589e8887ba481635d4d995f037fd888a958e80ad29541
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B3110832790171B7DF512A6DEF86E973BD4AB14710F014601FA015D291CBA2CA1087F1
                                                                                                                                                                                                  Function 00AA6737 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00ADE500,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,00AA705A), ref: 00AA6783
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp, xrefs: 00AA67BB
                                                                                                                                                                                                  • Failed to allocate message to write., xrefs: 00AA6762
                                                                                                                                                                                                  • Failed to write message type to pipe., xrefs: 00AA67C5
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                                                  • String ID: Failed to allocate message to write.$Failed to write message type to pipe.$c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp
                                                                                                                                                                                                  • API String ID: 3934441357-4125673880
                                                                                                                                                                                                  • Opcode ID: ecd6934e7d811520aa7419e5461e56e3e42bccc10a3338aa54a967ef2cbb90a2
                                                                                                                                                                                                  • Instruction ID: 05789cc8cc85fc560fe8bcd7901b500a4c58a645afa9bb9a1b9c65471eaa6e0f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ecd6934e7d811520aa7419e5461e56e3e42bccc10a3338aa54a967ef2cbb90a2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B11B176950129BBCB11DF95DE05A9E7BB8EF41750F150116F800BB280E730AE50DEA0
                                                                                                                                                                                                  Function 00A9BB17 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A9BB39
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to format path string., xrefs: 00A9BB44
                                                                                                                                                                                                  • Failed to set variable., xrefs: 00A9BB98
                                                                                                                                                                                                  • File search: %ls, did not find path: %ls, xrefs: 00A9BBA4
                                                                                                                                                                                                  • Failed get file version., xrefs: 00A9BB79
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Open@16
                                                                                                                                                                                                  • String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
                                                                                                                                                                                                  • API String ID: 3613110473-2458530209
                                                                                                                                                                                                  • Opcode ID: 3f30d4b57b7fda989af0c3282499d0cbdfe114a016293f97b6bf4fe66e279994
                                                                                                                                                                                                  • Instruction ID: a82096d5168b3bb23a7293b6344521def89fc5db39ef532daae0c5c79db236c4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f30d4b57b7fda989af0c3282499d0cbdfe114a016293f97b6bf4fe66e279994
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C119036E00128BFCF026F98DE42DAEBBB9EF14364B104166F90177251D7719E50ABE1
                                                                                                                                                                                                  Function 00AA9E44 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  • CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,00AAAA6B,0000001A,?,?,00000000,00000000), ref: 00AA9E8D
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00AAAA6B,0000001A,?,?,00000000,00000000,?,?,?), ref: 00AA9E97
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to create well known SID., xrefs: 00AA9EC5
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 00AA9E6B, 00AA9EBB
                                                                                                                                                                                                  • Failed to allocate memory for well known SID., xrefs: 00AA9E75
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$AllocateCreateErrorKnownLastProcessWell
                                                                                                                                                                                                  • String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp
                                                                                                                                                                                                  • API String ID: 2186923214-2142282707
                                                                                                                                                                                                  • Opcode ID: 8c18896b16b56d180c0e80559a946c8d3b5337584216bc0ffe9c297b66536acb
                                                                                                                                                                                                  • Instruction ID: 0a992661696e523222bf9ac003ea07fa75bd2f66942d5c90221a13607658fbda
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c18896b16b56d180c0e80559a946c8d3b5337584216bc0ffe9c297b66536acb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5601E937A8173576D731E6665D06E6B6A989F42B60F114116FC05AF2C1EB74CD0082E0
                                                                                                                                                                                                  Function 00ABF879 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64windowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 00ABF8A7
                                                                                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00ABF8D1
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00ABFA9F,00000000,?,?,?,00000000,00000000), ref: 00ABF8D9
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\bitsengine.cpp, xrefs: 00ABF8FD
                                                                                                                                                                                                  • Failed while waiting for download., xrefs: 00ABF907
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastMessageMultipleObjectsPeekWait
                                                                                                                                                                                                  • String ID: Failed while waiting for download.$c:\agent\_work\36\s\wix\src\burn\engine\bitsengine.cpp
                                                                                                                                                                                                  • API String ID: 435350009-2923220245
                                                                                                                                                                                                  • Opcode ID: eb506d34042497376c2f1e309779bc6a6ea1c2bd9072f55f2414d1a02009eba9
                                                                                                                                                                                                  • Instruction ID: 9e1af666a84da35769cb7eeaa33deb9988fb8e6a6909d14213b2963d68511de9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: eb506d34042497376c2f1e309779bc6a6ea1c2bd9072f55f2414d1a02009eba9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF01E537B412357BD7209BEC9D49EEF7BACEB05760F040136FA05EA182DA64990086E4
                                                                                                                                                                                                  Function 00AD82C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • <, xrefs: 00AD8308
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\shelutil.cpp, xrefs: 00AD8341
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseErrorExecuteHandleLastShell
                                                                                                                                                                                                  • String ID: <$c:\agent\_work\36\s\wix\src\libs\dutil\shelutil.cpp
                                                                                                                                                                                                  • API String ID: 3023784893-1758181408
                                                                                                                                                                                                  • Opcode ID: a08f323048bcb83b021a216d77e4c84ce6c8882dcb3e74a2d5fd73ba03ce9b7f
                                                                                                                                                                                                  • Instruction ID: db11d8f12f0bc57bf78c720b64a14a4205d6a9e78ab2b9a114d95f40bb41361a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a08f323048bcb83b021a216d77e4c84ce6c8882dcb3e74a2d5fd73ba03ce9b7f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D121B7B5E11229ABCB10CF98D945ADEBBF8BF08B50F10411AF905EB340D7749A01CF90
                                                                                                                                                                                                  Function 00A97BE3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetComputerNameW.KERNEL32(?,00000010), ref: 00A97C11
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A97C1B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get computer name., xrefs: 00A97C49
                                                                                                                                                                                                  • Failed to set variant value., xrefs: 00A97C62
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp, xrefs: 00A97C3F
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ComputerErrorLastName
                                                                                                                                                                                                  • String ID: Failed to get computer name.$Failed to set variant value.$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp
                                                                                                                                                                                                  • API String ID: 3560734967-964797764
                                                                                                                                                                                                  • Opcode ID: 457da05450ad53a044021d632c101c32cdd98fdbe7bdf08d763db63ddaaed677
                                                                                                                                                                                                  • Instruction ID: 1ccd796257a637f243679404201e7f2ec0de0ff31cb09b07a1cd6c0abe37c83f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 457da05450ad53a044021d632c101c32cdd98fdbe7bdf08d763db63ddaaed677
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B01E532B55628A7DB10DBA59D45EDF77E8AB08710F110527ED41FB280DA70AE0486F0
                                                                                                                                                                                                  Function 00A9B74B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00A9B7C2
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to copy condition string from BSTR, xrefs: 00A9B7AC
                                                                                                                                                                                                  • Failed to get Condition inner text., xrefs: 00A9B792
                                                                                                                                                                                                  • Failed to select condition node., xrefs: 00A9B779
                                                                                                                                                                                                  • Condition, xrefs: 00A9B75D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeString
                                                                                                                                                                                                  • String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.
                                                                                                                                                                                                  • API String ID: 3341692771-3600577998
                                                                                                                                                                                                  • Opcode ID: 83a3bf0e0e9be91201eec1aa3182b5f66060d3500161370f7ab822b788a4b312
                                                                                                                                                                                                  • Instruction ID: 3ac698408a801647f93326d5500cd8a2c136516838fef1e9bae797e2ed862de0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 83a3bf0e0e9be91201eec1aa3182b5f66060d3500161370f7ab822b788a4b312
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6311A531A22234FBDF2197D4DE45FAD7AF4EF40710F200255F801BA250D7709E509BA0
                                                                                                                                                                                                  Function 00A9849F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00A984D8
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A984E2
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get temp path., xrefs: 00A98510
                                                                                                                                                                                                  • Failed to set variant value., xrefs: 00A9852C
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp, xrefs: 00A98506
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastPathTemp
                                                                                                                                                                                                  • String ID: Failed to get temp path.$Failed to set variant value.$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp
                                                                                                                                                                                                  • API String ID: 1238063741-4083656488
                                                                                                                                                                                                  • Opcode ID: 6c2a7acf13696fdf3b621874c8e49448de54841b5ac5c7462ed2e94dd77edc76
                                                                                                                                                                                                  • Instruction ID: 937f42ad000d3efa2e4133ad9dcfe4bf0e2b58891ca0f0c3243a434141f176ce
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6c2a7acf13696fdf3b621874c8e49448de54841b5ac5c7462ed2e94dd77edc76
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78012B76F81234A7DB10EBA49D46F9F33E85F01710F120267BD02FB281DEA49E0446D1
                                                                                                                                                                                                  Function 00A97B4B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 55COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00A97B5D
                                                                                                                                                                                                    • Part of subcall function 00AD5CD2: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00A97B69,00000000), ref: 00AD5CE7
                                                                                                                                                                                                    • Part of subcall function 00AD5CD2: GetProcAddress.KERNEL32(00000000), ref: 00AD5CEE
                                                                                                                                                                                                    • Part of subcall function 00AD5CD2: GetLastError.KERNEL32(?,?,?,?,00A97B69,00000000), ref: 00AD5D09
                                                                                                                                                                                                    • Part of subcall function 00AD8373: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00AD83A0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get shell folder., xrefs: 00A97B91
                                                                                                                                                                                                  • Failed to set variant value., xrefs: 00A97BC1
                                                                                                                                                                                                  • Failed to get 64-bit folder., xrefs: 00A97BA7
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp, xrefs: 00A97B87
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
                                                                                                                                                                                                  • String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp
                                                                                                                                                                                                  • API String ID: 2084161155-2699074091
                                                                                                                                                                                                  • Opcode ID: 53a9fffadb8adc2dea4a7239f22775e3f3dc8f36a17063a94b2e79896fbfe52e
                                                                                                                                                                                                  • Instruction ID: 33604b9ee1dfcddf2c4367a8c6934eea73873b01b191e37d8c4a93e68e5eeba2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 53a9fffadb8adc2dea4a7239f22775e3f3dc8f36a17063a94b2e79896fbfe52e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B3018432F54228BBDF12AB94CD06F9E7AF8EF10B55F204152F402BA151DBB49A4097A0
                                                                                                                                                                                                  Function 00A9383E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A93B2C: FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 00A93B67
                                                                                                                                                                                                    • Part of subcall function 00A93B2C: FindClose.KERNEL32(00000000,?,00000000), ref: 00A93B73
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00ABAD92,00000080,00000000,00ABAD92,000000FF,00000000,?,?,00ABAD92), ref: 00A9386D
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00ABAD92), ref: 00A93877
                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00ABAD92,00000000,00ABAD92,000000FF,00000000,?,?,00ABAD92), ref: 00A93897
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00ABAD92), ref: 00A938A1
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 00A938BC
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                                                                                                                                                                                  • API String ID: 3967264933-1339450348
                                                                                                                                                                                                  • Opcode ID: 12ab04d9c2bd2045afdb77ce08bb004df35f641c8e748e67e837fb63eb9b2ce0
                                                                                                                                                                                                  • Instruction ID: 654e9a0c7ac12f2b68b37054776ac64bf021d2ffa52c14bca40e91dd15ad31ec
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 12ab04d9c2bd2045afdb77ce08bb004df35f641c8e748e67e837fb63eb9b2ce0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 48015673B42636A7DF319BA5CD09A5B7EF8AF10791F018225FC45EA190D624CE0195D1
                                                                                                                                                                                                  Function 00ABF4E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00ABF4FE
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00ABF543
                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?), ref: 00ABF557
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get state during job modification., xrefs: 00ABF517
                                                                                                                                                                                                  • Failure while sending progress during BITS job modification., xrefs: 00ABF532
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterEventLeave
                                                                                                                                                                                                  • String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
                                                                                                                                                                                                  • API String ID: 3094578987-1258544340
                                                                                                                                                                                                  • Opcode ID: b6a536abc992507c143b0c8b405176ab1d5dc171c1cd068830bb42648c59a9b5
                                                                                                                                                                                                  • Instruction ID: da8e3b2366c4a659d8b2474149df1188b58fdfef424695285e3dec87d3fb3c7b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b6a536abc992507c143b0c8b405176ab1d5dc171c1cd068830bb42648c59a9b5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F01B572A01629BFCB25DF99EC45AEE77ACFF14320B000226F90697611D770FA4586D0
                                                                                                                                                                                                  Function 00ABF2D1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,00ABFA29,?,?,?,?,?,00000000,00000000,?), ref: 00ABF2EB
                                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00ABFA29,?,?,?,?,?,00000000,00000000,?), ref: 00ABF2F6
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00ABFA29,?,?,?,?,?,00000000,00000000,?), ref: 00ABF303
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to create BITS job complete event., xrefs: 00ABF331
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\bitsengine.cpp, xrefs: 00ABF327
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateCriticalErrorEventInitializeLastSection
                                                                                                                                                                                                  • String ID: Failed to create BITS job complete event.$c:\agent\_work\36\s\wix\src\burn\engine\bitsengine.cpp
                                                                                                                                                                                                  • API String ID: 3069647169-1975467286
                                                                                                                                                                                                  • Opcode ID: 695b00b8f00f7d673e7d1043c445f67c8b73f3f2bf2763fd41125a09712aee86
                                                                                                                                                                                                  • Instruction ID: 3d796a06cc7676ab373b6e0a58ec443247391227bc35a337248293f627891498
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 695b00b8f00f7d673e7d1043c445f67c8b73f3f2bf2763fd41125a09712aee86
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8019E76642636BBC3109F9ADC05A86BBECFF19760B014226F918DB641E77098008AE4
                                                                                                                                                                                                  Function 00ABF75B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,00ABF8C7), ref: 00ABF76F
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000008,?,00ABF8C7), ref: 00ABF7B4
                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,00ABF8C7), ref: 00ABF7C8
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get BITS job state., xrefs: 00ABF788
                                                                                                                                                                                                  • Failure while sending progress., xrefs: 00ABF7A3
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterEventLeave
                                                                                                                                                                                                  • String ID: Failed to get BITS job state.$Failure while sending progress.
                                                                                                                                                                                                  • API String ID: 3094578987-2876445054
                                                                                                                                                                                                  • Opcode ID: 4d0031c0ae2cf711c50bb583030dd0bbc6e8268dd4757dbd0ae55021ebb3baf9
                                                                                                                                                                                                  • Instruction ID: 12084891653bd789a781bab9693379b62c46993b41571ef360477fcf3d8f6afc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d0031c0ae2cf711c50bb583030dd0bbc6e8268dd4757dbd0ae55021ebb3baf9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C0012432601625BFC702DB99CC89AEABBACFF083257000266F502DB211CB70ED40C6D4
                                                                                                                                                                                                  Function 00AD6306 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 00AD6331
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A966AA,00000001,?,?,00A96227,?,?,?,?,00A9712C,?,?,?,?), ref: 00AD6340
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\srputil.cpp, xrefs: 00AD6361
                                                                                                                                                                                                  • SRSetRestorePointW, xrefs: 00AD6326
                                                                                                                                                                                                  • srclient.dll, xrefs: 00AD630F
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressErrorLastProc
                                                                                                                                                                                                  • String ID: SRSetRestorePointW$c:\agent\_work\36\s\wix\src\libs\dutil\srputil.cpp$srclient.dll
                                                                                                                                                                                                  • API String ID: 199729137-2477992140
                                                                                                                                                                                                  • Opcode ID: 440bb53bd841380ab1f6b3dd7c6f95445382b53a3fbc3404436145f7d4e67759
                                                                                                                                                                                                  • Instruction ID: 4f81cf2b077ca667c779f72036a156ba739b10ee8831cc79307778904a005c3d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 440bb53bd841380ab1f6b3dd7c6f95445382b53a3fbc3404436145f7d4e67759
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9601DB72A81636A7D331A7D889097A979A06B20750F060233FD066F341E660CC00C5D5
                                                                                                                                                                                                  Function 00AC98E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,4A22C385,?,?,00000000,00ADD9DA,000000FF,?,00AC98BC,00AC99A9,?,00AC9890,00000000), ref: 00AC991E
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AC9930
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,00ADD9DA,000000FF,?,00AC98BC,00AC99A9,?,00AC9890,00000000), ref: 00AC9952
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                  • Opcode ID: 667975bf6165b0ce6707528b507085dd634c5e8b1b75b0139003d8bc5243fec3
                                                                                                                                                                                                  • Instruction ID: 5b17b9d0e156e53f1351c0e77b4ca5ad451171d76d3af84e9688a99a6182a3c0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 667975bf6165b0ce6707528b507085dd634c5e8b1b75b0139003d8bc5243fec3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6016731944619ABDB11DB94DC09FBF7BB8FB04B11F00062AF912A62E0DB749901CA90
                                                                                                                                                                                                  Function 00A92C89 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 118COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A92CCF
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A92CDB
                                                                                                                                                                                                    • Part of subcall function 00A95369: GetProcessHeap.KERNEL32(00000000,000001C7,?,00A92CA9,000001C7,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95371
                                                                                                                                                                                                    • Part of subcall function 00A95369: HeapSize.KERNEL32(00000000,?,00A92CA9,000001C7,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95378
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\strutil.cpp, xrefs: 00A92CFF
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\strutil.cpp
                                                                                                                                                                                                  • API String ID: 3662877508-3940310746
                                                                                                                                                                                                  • Opcode ID: fd38f2b6cb3b8029d83812b73ebc4ab17963be24778c22a63995d945f58fdd34
                                                                                                                                                                                                  • Instruction ID: 8ab86da4dbee04abbf4011501b71f68675ff74ff3d6f6dc5183aa0db69fc47db
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd38f2b6cb3b8029d83812b73ebc4ab17963be24778c22a63995d945f58fdd34
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B31D832701236BBDF219FA5CC44BAA3BE5AF55764B114225FD15AF2A0E630CC01D7D1
                                                                                                                                                                                                  Function 00A9A725 Relevance: 7.6, APIs: 5, Instructions: 117stringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00A9A8E4,00A9B431,?,00A9B431,?,?,00A9B431,?,?), ref: 00A9A745
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00A9A8E4,00A9B431,?,00A9B431,?,?,00A9B431,?,?), ref: 00A9A74D
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,00A9A8E4,00A9B431,?,00A9B431,?), ref: 00A9A79C
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00A9A8E4,00A9B431,?,00A9B431,?), ref: 00A9A7FE
                                                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00A9A8E4,00A9B431,?,00A9B431,?), ref: 00A9A82B
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareString$lstrlen
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1657112622-0
                                                                                                                                                                                                  • Opcode ID: d4fdbf366ee87d51766339806a7e8d8205c77c59a07e3c6e2acd468cdc336a80
                                                                                                                                                                                                  • Instruction ID: ce7113f532cd2b0a572bc6ccce8fc15858b902cbca187aad797ddbbb1d206c4d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4fdbf366ee87d51766339806a7e8d8205c77c59a07e3c6e2acd468cdc336a80
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 44313C72B01119AFCF258F98CC859AE3FFAEB65750B118416F91ACB210C2319991DBE2
                                                                                                                                                                                                  Function 00A991B3 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00A97083,WixBundleOriginalSource,?,?,00AAC326,840F01E8,WixBundleOriginalSource,?,00AFEBC0,?,00000000,00A9710B,00000001,?,?,00A9710B), ref: 00A991BF
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00A97083,00A97083,00000000,00000000,?,?,00AAC326,840F01E8,WixBundleOriginalSource,?,00AFEBC0,?,00000000,00A9710B,00000001,?), ref: 00A99226
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get value as string for variable: %ls, xrefs: 00A99215
                                                                                                                                                                                                  • WixBundleOriginalSource, xrefs: 00A991BB
                                                                                                                                                                                                  • Failed to get value of variable: %ls, xrefs: 00A991F9
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                  • String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
                                                                                                                                                                                                  • API String ID: 3168844106-30613933
                                                                                                                                                                                                  • Opcode ID: a804cf3efdb65ba1e37e31c29b6f003f5a62777ad22cfb9560ea44633a4bbb87
                                                                                                                                                                                                  • Instruction ID: 79136b5e3ebd8fc4a2da2f246df9b77f8874f39cc6e88e25bd91ce3403266ee6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a804cf3efdb65ba1e37e31c29b6f003f5a62777ad22cfb9560ea44633a4bbb87
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 74017C32A4112AFBCF11AF98CD05E9E3BA8EB10765F204225FC05AA221C7759E1197E4
                                                                                                                                                                                                  Function 00ABEC53 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,00000000,?,00000000,?,00ABEC4B,00000000), ref: 00ABEC6E
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,00ABEC4B,00000000), ref: 00ABEC7A
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00ADE518,00000000,?,00000000,?,00ABEC4B,00000000), ref: 00ABEC87
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,00ABEC4B,00000000), ref: 00ABEC94
                                                                                                                                                                                                  • UnmapViewOfFile.KERNEL32(00ADE4E8,00000000,?,00ABEC4B,00000000), ref: 00ABECA3
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseHandle$FileUnmapView
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 260491571-0
                                                                                                                                                                                                  • Opcode ID: e9b9239eba0812b86dac4c039b550e253df31f27afa79e29a837d0ec5765ffb6
                                                                                                                                                                                                  • Instruction ID: 69703b3e98376a531ab65372a4676d28ac3957b0f2e350cb53196738933bd524
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e9b9239eba0812b86dac4c039b550e253df31f27afa79e29a837d0ec5765ffb6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F014236401B55DFCB31AFA6DA80896FBE8AF51310315C93EE19A52822C371A890DF80
                                                                                                                                                                                                  Function 00ADB12C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADB289
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADB294
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADB29F
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\atomutil.cpp, xrefs: 00ADB15F
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeString$Heap$AllocateProcess
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\atomutil.cpp
                                                                                                                                                                                                  • API String ID: 2724874077-247667380
                                                                                                                                                                                                  • Opcode ID: d54f1ba7ddca5e8efeeacb052494f634c50f632e7d19cadf5a7500df52b94b6b
                                                                                                                                                                                                  • Instruction ID: ba775fa75bc489b95d94c8629f1538eff16d645caeb4c6c530517f4ad6ccb155
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d54f1ba7ddca5e8efeeacb052494f634c50f632e7d19cadf5a7500df52b94b6b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42515172E1122AEFCF11DBA4C944FEEB7B8AF44754F124156E506AB250D770EE01CBA0
                                                                                                                                                                                                  Function 00ADBD21 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137timeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00ADBE2E
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00ADBE38
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Time$ErrorFileLastSystem
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\timeutil.cpp$clbcatq.dll
                                                                                                                                                                                                  • API String ID: 2781989572-3551794687
                                                                                                                                                                                                  • Opcode ID: 7112d2f78227e62cbfeebebe4e5a526cccf7c627e2e7c6a87d6c8c587c23b69f
                                                                                                                                                                                                  • Instruction ID: fa447c150d62117a7582e86aa86de4241cfce1ac164b1911cbb4d5593e95c63d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7112d2f78227e62cbfeebebe4e5a526cccf7c627e2e7c6a87d6c8c587c23b69f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E341B675B20216EADB209BB88D45BFF7779BF50B40F16451AB642AB390DB34CE018371
                                                                                                                                                                                                  Function 00AD7D21 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • VariantInit.OLEAUT32(000002C0), ref: 00AD7D3B
                                                                                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00AD7D4B
                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00AD7E2A
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp, xrefs: 00AD7D63
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Variant$AllocClearInitString
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp
                                                                                                                                                                                                  • API String ID: 2213243845-1984227935
                                                                                                                                                                                                  • Opcode ID: 0e1efb6acc0c544d132dc4efb831667406bb46c611b99d886e3f92dfe2c71595
                                                                                                                                                                                                  • Instruction ID: 5a3a18102706e2bd8dbc7ff7ca3a9d96f1e1af835f73717b710febc5fbf63698
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0e1efb6acc0c544d132dc4efb831667406bb46c611b99d886e3f92dfe2c71595
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81414675D04625ABCB15DFA5C888EAE7BB8BF45710B0542A6ED12EF311EA34DD008BA1
                                                                                                                                                                                                  Function 00A95711 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00ABA97E), ref: 00A9576C
                                                                                                                                                                                                  • RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00ABA97E,00000000), ref: 00A9578A
                                                                                                                                                                                                  • RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,00ABA97E,00000000,00000000,00000000), ref: 00A957E0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp, xrefs: 00A957B0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Enum$InfoQuery
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp
                                                                                                                                                                                                  • API String ID: 73471667-90795250
                                                                                                                                                                                                  • Opcode ID: 0241acff68759e6e1c3d78a527748aaecb2ad3087f5974c368e5fba1ebc03a75
                                                                                                                                                                                                  • Instruction ID: ba60f9dc37a192cc72f364ad0c721bea4000311954e5f61cfe2f85b0c6ed2569
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0241acff68759e6e1c3d78a527748aaecb2ad3087f5974c368e5fba1ebc03a75
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5314476E01925FBDF128BE8CD96AABBAFDEF047A0F118465FD01A7110D6309E0197E0
                                                                                                                                                                                                  Function 00ADB029 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADB10C
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00ADB117
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00ADB122
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\atomutil.cpp, xrefs: 00ADB056
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FreeString$Heap$AllocateProcess
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\atomutil.cpp
                                                                                                                                                                                                  • API String ID: 2724874077-247667380
                                                                                                                                                                                                  • Opcode ID: 7545138b4e741948de2378f3c2733086413ff928cf5a205ff43da07f07993e2a
                                                                                                                                                                                                  • Instruction ID: 397ed9698dcbe41ce9b9b54430abe2c117060ba3863ddbafe4ef8d55bd3d8e8b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7545138b4e741948de2378f3c2733086413ff928cf5a205ff43da07f07993e2a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E31C332E11529FBCB21DB55C985F9FBBB8AF04750F024162F912AB250DB30DE01CBA1
                                                                                                                                                                                                  Function 00ADC967 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00ADC444: lstrlenW.KERNEL32(00000100,?,?,?,00ADC7E4,000002C0,00000100,00000100,00000100,?,?,?,00AB98FA,?,?,000001BC), ref: 00ADC469
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,crypt32.dll,00000000,00000000,00000000,00000000,crypt32.dll), ref: 00ADCA4C
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000001,00000000,crypt32.dll,00000000,00000000,00000000,00000000,crypt32.dll), ref: 00ADCA66
                                                                                                                                                                                                    • Part of subcall function 00A954AE: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,00AA22E9,?,00000000,00020006), ref: 00A954D3
                                                                                                                                                                                                    • Part of subcall function 00A95D90: RegSetValueExW.ADVAPI32(00020006,00AE4178,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,00AA1017,00000000,?,00020006), ref: 00A95DC3
                                                                                                                                                                                                    • Part of subcall function 00A95D90: RegDeleteValueW.ADVAPI32(00020006,00AE4178,00000000,?,?,00AA1017,00000000,?,00020006,?,00AE4178,00020006,00000000,?,?,?), ref: 00A95DF3
                                                                                                                                                                                                    • Part of subcall function 00A95D42: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,00AA0F6F,00AE4178,Resume,00000005,?,00000000,00000000,00000000), ref: 00A95D57
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Value$Close$CreateDeletelstrlen
                                                                                                                                                                                                  • String ID: %ls\%ls$crypt32.dll
                                                                                                                                                                                                  • API String ID: 3924016894-1754266218
                                                                                                                                                                                                  • Opcode ID: 8772e0e354a2daad2fdbbfe878015edf91c3f1ac5a38d226831909d279b2d9b9
                                                                                                                                                                                                  • Instruction ID: 286bfb1cdfc9c1ec76f31ac1268dc05b784e89cbed297bd37cc2906eb942931a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8772e0e354a2daad2fdbbfe878015edf91c3f1ac5a38d226831909d279b2d9b9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A4310D72C0116EBBCF12DFD4CD518AEBBBAEF047A0B514166F911B6221D7318E51EB90
                                                                                                                                                                                                  Function 00ABA67E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A9582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00AFEBD4,00000000,?,00AD8E2A,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A95840
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,00ABA9BA,00000000,00000000), ref: 00ABA73B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to initialize package from related bundle id: %ls, xrefs: 00ABA721
                                                                                                                                                                                                  • Failed to open uninstall key for potential related bundle: %ls, xrefs: 00ABA6AA
                                                                                                                                                                                                  • Failed to ensure there is space for related bundles., xrefs: 00ABA6EE
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                                  • String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
                                                                                                                                                                                                  • API String ID: 47109696-1717420724
                                                                                                                                                                                                  • Opcode ID: a42af14846e13f1711687910812efb6e155465a86ebfdf0694a83843bbbbc44a
                                                                                                                                                                                                  • Instruction ID: 8f1c6b83fc4fba61ea6823a551a1c427d06a8b4f9c22b7f82ec38c99391ba805
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a42af14846e13f1711687910812efb6e155465a86ebfdf0694a83843bbbbc44a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A21BE72980619FBDF129B94CD46FEE7BB8FF20350F104111F902A6152DB71AE61EB92
                                                                                                                                                                                                  Function 00A952AB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,80004005,00000000,00000000,00000100,?,00A91EB7,00000000,80004005,00000000,80004005,00000000,000001C7,?,00A91DFD), ref: 00A952C9
                                                                                                                                                                                                  • HeapReAlloc.KERNEL32(00000000,?,00A91EB7,00000000,80004005,00000000,80004005,00000000,000001C7,?,00A91DFD,000001C7,00000100,?,80004005,00000000), ref: 00A952D0
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                    • Part of subcall function 00A95369: GetProcessHeap.KERNEL32(00000000,000001C7,?,00A92CA9,000001C7,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95371
                                                                                                                                                                                                    • Part of subcall function 00A95369: HeapSize.KERNEL32(00000000,?,00A92CA9,000001C7,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95378
                                                                                                                                                                                                  • _memcpy_s.LIBCMT ref: 00A9531C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\memutil.cpp, xrefs: 00A9535D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$Process$AllocAllocateSize_memcpy_s
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\memutil.cpp
                                                                                                                                                                                                  • API String ID: 3406509257-2907297377
                                                                                                                                                                                                  • Opcode ID: ef3b6394528e7d9e959c9a766aa5d3275730ce2738460f7e3eb5ba3a5e378c6d
                                                                                                                                                                                                  • Instruction ID: 15ff417b8ff91e4b7d72595fa4813e5f49d9eb2036ad874b8473e896db0b6961
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef3b6394528e7d9e959c9a766aa5d3275730ce2738460f7e3eb5ba3a5e378c6d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 18110232F01A29ABCF236FB89D669AF3BD9AF403A0B054711F8149F251D6B18D109390
                                                                                                                                                                                                  Function 00ADBF57 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69timeCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00ADBF9B
                                                                                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00ADBFC3
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00ADBFCD
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\inetutil.cpp, xrefs: 00ADBFEE
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastTime$FileSystem
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\inetutil.cpp
                                                                                                                                                                                                  • API String ID: 1528435940-1406637286
                                                                                                                                                                                                  • Opcode ID: f7a5536fecb5228df533f3e1318b926504bd9e3cc592793c89dde57fa954e5c9
                                                                                                                                                                                                  • Instruction ID: 89b836afa3971a24f4c6c9079afec4aec503aac8c6d8a6b9bfb0a105b23be067
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f7a5536fecb5228df533f3e1318b926504bd9e3cc592793c89dde57fa954e5c9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 61114276A51139E7D720DBE9CD49AAFBBA8AB08750F020516BE06FB250D620DD048AE1
                                                                                                                                                                                                  Function 00AD590C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62filestringCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • lstrlenA.KERNEL32(00AB2E9E,00000000,00000000,?,?,?,00AD51BA,00AB2E9E,00AB2E9E,?,00000000,0000FDE9,?,00AB2E9E,8007139F,Invalid operation for this state.), ref: 00AD591E
                                                                                                                                                                                                  • WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,?,00000000,?,?,00AD51BA,00AB2E9E,00AB2E9E,?,00000000,0000FDE9,?,00AB2E9E,8007139F), ref: 00AD595A
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00AD51BA,00AB2E9E,00AB2E9E,?,00000000,0000FDE9,?,00AB2E9E,8007139F,Invalid operation for this state.,c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 00AD5964
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\logutil.cpp, xrefs: 00AD5995
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastWritelstrlen
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\logutil.cpp
                                                                                                                                                                                                  • API String ID: 606256338-4006286326
                                                                                                                                                                                                  • Opcode ID: ce5c368e064d5e8ddc79134c7228e007d6b1c22ab41ea978ef5a67c171706367
                                                                                                                                                                                                  • Instruction ID: a314a52801a9ed7b491f18a788c3d0a45f5fd40958fa0f9c14c695809099aee2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ce5c368e064d5e8ddc79134c7228e007d6b1c22ab41ea978ef5a67c171706367
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7118A72F41535EBC711DBB5CD54AABBBA8AB547B0B110616F907DB340D630DD0086E0
                                                                                                                                                                                                  Function 00A91591 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00A96F05,00000000,?), ref: 00A915CF
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00A96F05,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00A915D9
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • ignored , xrefs: 00A9159E
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\apputil.cpp, xrefs: 00A915FA
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ArgvCommandErrorLastLine
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\apputil.cpp$ignored
                                                                                                                                                                                                  • API String ID: 3459693003-4167413685
                                                                                                                                                                                                  • Opcode ID: a9a884d4b982395354afa5165f790c41ef9dcb9b6ce11f529ca297cd10b7bf95
                                                                                                                                                                                                  • Instruction ID: 35175e5e0b5f94499da13d299ab39cb386e50d9fd2b11168b9b3cbcc6b6abc52
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a9a884d4b982395354afa5165f790c41ef9dcb9b6ce11f529ca297cd10b7bf95
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 00115176E01226BBCF21DB99D945E9EBBF8EF45750B050155FD05AB350E630DE00DBA0
                                                                                                                                                                                                  Function 00AD4FCC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59windowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • FormatMessageW.KERNEL32(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,00AD569E,?,?,?,?,00000001), ref: 00AD4FEB
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AD569E,?,?,?,?,00000001,?,00A972DA,?,?,00000000,?,?,00A9705B,00000002), ref: 00AD4FF7
                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,?,00000000,?,?,00AD569E,?,?,?,?,00000001,?,00A972DA,?,?), ref: 00AD5060
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\logutil.cpp, xrefs: 00AD5016
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\logutil.cpp
                                                                                                                                                                                                  • API String ID: 1365068426-4006286326
                                                                                                                                                                                                  • Opcode ID: 4b6db30833d47ee021b4df59c09febf049d070de49bd1a4dada36107bfb76ece
                                                                                                                                                                                                  • Instruction ID: 14b5716026d04e9f7a0b7daa187f4294f84fafc295a68a073e7286c99d809965
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4b6db30833d47ee021b4df59c09febf049d070de49bd1a4dada36107bfb76ece
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 80115132A01529AFDF21DFA4CD05EEE7B69EF54750F11401AFD02AA260D7319E10D6D1
                                                                                                                                                                                                  Function 00ABECB4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,00000000,76F930D0,?,?,00ABEEE9,00000000,00000000,00000000,00000000), ref: 00ABECC4
                                                                                                                                                                                                  • ReleaseMutex.KERNEL32(?,?,00ABEEE9,00000000,00000000,00000000,00000000), ref: 00ABED4B
                                                                                                                                                                                                    • Part of subcall function 00A950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A950FA
                                                                                                                                                                                                    • Part of subcall function 00A950E9: RtlAllocateHeap.NTDLL(00000000,?,00A92D50,?,00000001,80004005,8007139F,?,?,00AD5417,8007139F,?,00000000,00000000,8007139F), ref: 00A95101
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to allocate memory for message data, xrefs: 00ABED13
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\netfxchainer.cpp, xrefs: 00ABED09
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
                                                                                                                                                                                                  • String ID: Failed to allocate memory for message data$c:\agent\_work\36\s\wix\src\burn\engine\netfxchainer.cpp
                                                                                                                                                                                                  • API String ID: 2993511968-581129004
                                                                                                                                                                                                  • Opcode ID: b12c176f5ed5e32dd2ff7bafcc2172fb608958c82011c79f57b62ebec2a0612b
                                                                                                                                                                                                  • Instruction ID: 4870794cdcfecef8d9b14db08f42c49587bc649d95a36313ad852dfb1baf606a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b12c176f5ed5e32dd2ff7bafcc2172fb608958c82011c79f57b62ebec2a0612b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC11A375300219AFCB15DF64E881EAAB7F8FF09760B144265F9159F391C771AC10CB94
                                                                                                                                                                                                  Function 00A94483 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(002E0032,40000000,00000001,00000000,00000002,00000080,00000000,00AA2190,00000000,?,00AA11D4,00ADE500,00000080,002E0032,00000000), ref: 00A9449B
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AA11D4,00ADE500,00000080,002E0032,00000000,?,00AA2190,crypt32.dll,00000094,?,?,?,?,?,00000000), ref: 00A944A8
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,00ADE500,00AA11D4,?,00AA11D4,00ADE500,00000080,002E0032,00000000,?,00AA2190,crypt32.dll,00000094), ref: 00A944FC
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 00A944CC
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCreateErrorFileHandleLast
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                                                                                                                                                                                  • API String ID: 2528220319-1339450348
                                                                                                                                                                                                  • Opcode ID: 5b1bbd5aa3ae068adafa4847fe500509ca3fb249767073e1f40e3905dbb5753e
                                                                                                                                                                                                  • Instruction ID: 9892ff9838734285ff9bef685fb25e878c3f4cefb6bc09d144dd8ca256c48d5e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b1bbd5aa3ae068adafa4847fe500509ca3fb249767073e1f40e3905dbb5753e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E601D43774113567DB21AB989D05F5B3B949B84B70F024311FE25AF1D0D6708C1296E1
                                                                                                                                                                                                  Function 00A94053 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,00ABA7DB,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 00A94087
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00ABA7DB,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 00A94094
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateErrorFileLast
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                                                                                                                                                                                  • API String ID: 1214770103-1339450348
                                                                                                                                                                                                  • Opcode ID: 144bef0fa15ed6d2947af9ee99d54350e4f1a5f98c40034558e5cd5d231f5e3a
                                                                                                                                                                                                  • Instruction ID: f3ba22035dd5f2781078f60166d89512c32d41431753ea42630108f35047c9ba
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 144bef0fa15ed6d2947af9ee99d54350e4f1a5f98c40034558e5cd5d231f5e3a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C012B32781630B7DB31A2949D49F7A76E8AB04B60F014222FF45BF1C0D2A94C0292E1
                                                                                                                                                                                                  Function 00AA23EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A9582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00AFEBD4,00000000,?,00AD8E2A,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A95840
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000), ref: 00AA245E
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to update resume mode., xrefs: 00AA242F
                                                                                                                                                                                                  • Failed to update name and publisher., xrefs: 00AA2448
                                                                                                                                                                                                  • Failed to open registration key., xrefs: 00AA2415
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                                  • String ID: Failed to open registration key.$Failed to update name and publisher.$Failed to update resume mode.
                                                                                                                                                                                                  • API String ID: 47109696-1865096027
                                                                                                                                                                                                  • Opcode ID: 0b7cc148b92abdcf301e1f1a0f4329557b17a7534bd7f7560a900a7de610d7d7
                                                                                                                                                                                                  • Instruction ID: a878108235734d5cb17473626092dbff4e0f41a5ef9f2907ddec71173efc4e25
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0b7cc148b92abdcf301e1f1a0f4329557b17a7534bd7f7560a900a7de610d7d7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F501D432E40664F7CB225A99DD02FAEBB79AF09750F104015F901B7190D7B1DE20A780
                                                                                                                                                                                                  Function 00AB877B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48serviceCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ControlService.ADVAPI32(00AB868F,00000001,?,00000001,00000000,?,?,?,?,?,?,00AB868F,00000000), ref: 00AB87A3
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00AB868F,00000000), ref: 00AB87AD
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to stop wusa service., xrefs: 00AB87DB
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\msuengine.cpp, xrefs: 00AB87D1
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ControlErrorLastService
                                                                                                                                                                                                  • String ID: Failed to stop wusa service.$c:\agent\_work\36\s\wix\src\burn\engine\msuengine.cpp
                                                                                                                                                                                                  • API String ID: 4114567744-2975936710
                                                                                                                                                                                                  • Opcode ID: 0d4adbd5392c1c2fb5a9b669534b51016c1dd924e90b118cce2e7db276dcca0e
                                                                                                                                                                                                  • Instruction ID: 2ebb1c5e0f7f57ae2afda9561db62165a656640dbf747abfbd3458ba79dec584
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d4adbd5392c1c2fb5a9b669534b51016c1dd924e90b118cce2e7db276dcca0e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E01F232B4123867D720E7E99D45FEBBBE8AB48B50F11012AFA01BB180DE74AC4185E4
                                                                                                                                                                                                  Function 00AB093D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 00AB0965
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AB096F
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 00AB0993
                                                                                                                                                                                                  • Failed to post elevate message., xrefs: 00AB099D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastMessagePostThread
                                                                                                                                                                                                  • String ID: Failed to post elevate message.$c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp
                                                                                                                                                                                                  • API String ID: 2609174426-3490677751
                                                                                                                                                                                                  • Opcode ID: 8156e87ba353fb6abd3df3f810db85c46dce5bee544cf2ae88f92259f3174978
                                                                                                                                                                                                  • Instruction ID: 24a89753e09afa24ea0864049798e1739607db410baf865284172ee871bba621
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8156e87ba353fb6abd3df3f810db85c46dce5bee544cf2ae88f92259f3174978
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C5F0F6336417316BD2206A999C09E977B987B00B61B114266FE59AF283E721CC0186D4
                                                                                                                                                                                                  Function 00A9F5C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 00A9F5E8
                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,00A965A9,00000000,?,?,00A97154,?,?), ref: 00A9F5F7
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A965A9,00000000,?,?,00A97154,?,?), ref: 00A9F601
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • BootstrapperApplicationDestroy, xrefs: 00A9F5E0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressErrorFreeLastLibraryProc
                                                                                                                                                                                                  • String ID: BootstrapperApplicationDestroy
                                                                                                                                                                                                  • API String ID: 1144718084-3186005537
                                                                                                                                                                                                  • Opcode ID: 55e5a763addf485eba1292cacb4bac7cd215d832fca2817e748e7b82814133ed
                                                                                                                                                                                                  • Instruction ID: f54d40d631390106a356f0a2adb15138b5acde8d8a90df74ce48fd3cc7007e6e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 55e5a763addf485eba1292cacb4bac7cd215d832fca2817e748e7b82814133ed
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38F06232701626AFCB119FA6D848B25FBE4BF10B62711863AF915DB560C731EC50CBD4
                                                                                                                                                                                                  Function 00AB1055 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 00AB106A
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AB1074
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 00AB1098
                                                                                                                                                                                                  • Failed to post shutdown message., xrefs: 00AB10A2
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastMessagePostThread
                                                                                                                                                                                                  • String ID: Failed to post shutdown message.$c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp
                                                                                                                                                                                                  • API String ID: 2609174426-3792247793
                                                                                                                                                                                                  • Opcode ID: e04a4e7ab4cd94dd42128a5573a4d7b2df1eb13505ff610ca4886e391c1310a9
                                                                                                                                                                                                  • Instruction ID: 271bdda69fec37bd4b5ef7439213d2b7e13d5862b7451c78eabaad4006c05000
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e04a4e7ab4cd94dd42128a5573a4d7b2df1eb13505ff610ca4886e391c1310a9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77F0A737B4167437822076999C09E9B7B98BF00BA0B024112FD45BF181F551DC0046E0
                                                                                                                                                                                                  Function 00AB238E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetEvent.KERNEL32(00ADE478,00000000,?,00AB32E3,?,00000000,?,00A9DF87,?,00A970CB,?,00AA91E6,?,?,00A970CB,?), ref: 00AB2398
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AB32E3,?,00000000,?,00A9DF87,?,00A970CB,?,00AA91E6,?,?,00A970CB,?,00A9710B,00000001), ref: 00AB23A2
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00AB23C6
                                                                                                                                                                                                  • Failed to set begin operation event., xrefs: 00AB23D0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorEventLast
                                                                                                                                                                                                  • String ID: Failed to set begin operation event.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 3848097054-2329002262
                                                                                                                                                                                                  • Opcode ID: 403cba7b5feb86a65cbf1fb5e64c09130751d2eb34387e94993c5da6ca56604f
                                                                                                                                                                                                  • Instruction ID: 5bd476e771cb5240825fc5915fc73541464e8b0da8f1b2b8782030a52d37dd4a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 403cba7b5feb86a65cbf1fb5e64c09130751d2eb34387e94993c5da6ca56604f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 61F0EC33A81675679610B6955D45BDB77DC5F10BA1F010227FE01FF342EA69DC0047E5
                                                                                                                                                                                                  Function 00AB08D4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 00AB08E9
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AB08F3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 00AB0917
                                                                                                                                                                                                  • Failed to post detect message., xrefs: 00AB0921
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastMessagePostThread
                                                                                                                                                                                                  • String ID: Failed to post detect message.$c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp
                                                                                                                                                                                                  • API String ID: 2609174426-166205116
                                                                                                                                                                                                  • Opcode ID: 1247ea75f9988b5b2de85af38b80f10856842284fa8d0a1f7673aa0edc47b018
                                                                                                                                                                                                  • Instruction ID: 8400400f88a5dfe1c263a047045b232e45ebc3f77b5067aeec661b4b9f0c63c2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1247ea75f9988b5b2de85af38b80f10856842284fa8d0a1f7673aa0edc47b018
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34F0A037B812347BD22066AA9C09F87BF98EF14BA0B024112FD49AF192E660DC0086E4
                                                                                                                                                                                                  Function 00AB0843 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 00AB0858
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AB0862
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 00AB0886
                                                                                                                                                                                                  • Failed to post apply message., xrefs: 00AB0890
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastMessagePostThread
                                                                                                                                                                                                  • String ID: Failed to post apply message.$c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp
                                                                                                                                                                                                  • API String ID: 2609174426-3808695918
                                                                                                                                                                                                  • Opcode ID: 23dad6075bc262580d6fc0d8fb1e37cc824d57529fb4ed48d29b0d9d22d58c6d
                                                                                                                                                                                                  • Instruction ID: a578a2c3d19e0297e6bede8a819d948d16a2f973158f8496049cf66eeee466a5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 23dad6075bc262580d6fc0d8fb1e37cc824d57529fb4ed48d29b0d9d22d58c6d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7F0A737B4233477D62166DAAD09E8B7F98AF00BB0B020112FD04AF191E520DD0085E4
                                                                                                                                                                                                  Function 00AB0F47 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 00AB0F5C
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AB0F66
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 00AB0F8A
                                                                                                                                                                                                  • Failed to post plan message., xrefs: 00AB0F94
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastMessagePostThread
                                                                                                                                                                                                  • String ID: Failed to post plan message.$c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp
                                                                                                                                                                                                  • API String ID: 2609174426-3310000785
                                                                                                                                                                                                  • Opcode ID: c5cc945770ab63cdb90286d38039c275040c82a4b97cf461cada3e1ad5f6cfc6
                                                                                                                                                                                                  • Instruction ID: 8a344774aa504dab8aba2fb7e5a4444fd7e4044ab32d0e18d1f2c7c960076ea0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5cc945770ab63cdb90286d38039c275040c82a4b97cf461cada3e1ad5f6cfc6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EF0A733B4123477C630A6A99C09E97BF98AF00BA0B020111BD44AF192E661DC0085E1
                                                                                                                                                                                                  Function 00AD12DC Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetConsoleOutputCP.KERNEL32(4A22C385,?,00000000,00AFB9F8), ref: 00AD133F
                                                                                                                                                                                                    • Part of subcall function 00ACCE00: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00AD0FB5,?,00000000,-00000008), ref: 00ACCEAC
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00AD159A
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00AD15E2
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD1685
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2112829910-0
                                                                                                                                                                                                  • Opcode ID: 62ec27c25380c66f8296d1d2ca54313d7ca6b03a527b4ea12a5c53177950d80a
                                                                                                                                                                                                  • Instruction ID: 33b3ec7ff210be6cb0e72d26af2150d890fd4330e65e7cab0bb6ef769d5c2554
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 62ec27c25380c66f8296d1d2ca54313d7ca6b03a527b4ea12a5c53177950d80a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DDD136B5E04258AFCB15CFE8D880AEDBBB5FF49304F18452AE456EB351D730A942CB60
                                                                                                                                                                                                  Function 00AD94FE Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 162stringCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\dlutil.cpp, xrefs: 00AD966C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: lstrlen
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\dlutil.cpp
                                                                                                                                                                                                  • API String ID: 1659193697-666089989
                                                                                                                                                                                                  • Opcode ID: ae66d12aa4b3da2f3d38b91f29b957f09d8ba897c34e388d3442fc23109e41e0
                                                                                                                                                                                                  • Instruction ID: 155380ac8a45ed5af26f8860eede84d26e7532c122bd040a777aef81e44d16fa
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae66d12aa4b3da2f3d38b91f29b957f09d8ba897c34e388d3442fc23109e41e0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4517072A0022AABCB12DFE49C849AFBBB9BF48750F154126F902A7310D770DD45DBA0
                                                                                                                                                                                                  Function 00A96C6A Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,00000000,?,00A97218,?,?,?,?,?,?), ref: 00A96CC4
                                                                                                                                                                                                  • DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,00A97218,?,?,?,?,?,?), ref: 00A96CD8
                                                                                                                                                                                                  • TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00A97218,?,?), ref: 00A96DC7
                                                                                                                                                                                                  • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00A97218,?,?), ref: 00A96DCE
                                                                                                                                                                                                    • Part of subcall function 00A914EA: LocalFree.KERNEL32(?,?,00A96C81,?,00000000,?,00A97218,?,?,?,?,?,?), ref: 00A914F4
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalDeleteFreeSection$CloseHandleLocal
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3671900028-0
                                                                                                                                                                                                  • Opcode ID: 23d43964664348c31cdbf4d48c32aa8abbf4681be18aabaf97a1fa6a95a0d33d
                                                                                                                                                                                                  • Instruction ID: 7c0236ad1be493fcfa87e77a897c9bdd708ac33ba84887ab588bafbb2311af9b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 23d43964664348c31cdbf4d48c32aa8abbf4681be18aabaf97a1fa6a95a0d33d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB4196B1701B459BDE60EBB4CA89F9B73ECAF04340F440D29B2AAD7051EB34E5458B64
                                                                                                                                                                                                  Function 00AD78A6 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00AD78B9
                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00AD78C5
                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00AD7939
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00AD7944
                                                                                                                                                                                                    • Part of subcall function 00AD7AF1: SysAllocString.OLEAUT32(?), ref: 00AD7B06
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: String$AllocVariant$ClearFreeInit
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 347726874-0
                                                                                                                                                                                                  • Opcode ID: 574f96c99d2bb4760a1acd9e8d9bec8244b58fced7184339938d2fc3cd502b07
                                                                                                                                                                                                  • Instruction ID: 94eba0cb593ec564648d8b3b41f965c332a2614e5d0c51d7aeee6b1b924e649f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 574f96c99d2bb4760a1acd9e8d9bec8244b58fced7184339938d2fc3cd502b07
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E214F72901219AFCB18DFA5C858EAEBBB9FF45715F140559E8029B320E730EE01CB90
                                                                                                                                                                                                  Function 00A96952 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 67COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00AA1644: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,00A96971,?,?,00000001), ref: 00AA1694
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 00A969D8
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get current process path., xrefs: 00A96996
                                                                                                                                                                                                  • Unable to get resume command line from the registry, xrefs: 00A96977
                                                                                                                                                                                                  • Failed to re-launch bundle process after RunOnce: %ls, xrefs: 00A969C2
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Close$Handle
                                                                                                                                                                                                  • String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
                                                                                                                                                                                                  • API String ID: 187904097-642631345
                                                                                                                                                                                                  • Opcode ID: e93811e45f0d8ef77d79d7029dafcfc9b581d30d96cb468eed64d9dd65b6b800
                                                                                                                                                                                                  • Instruction ID: 18c3d523db7d64566d9a1647395d487734bd2bf1a668e79142c46412a77e09c5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e93811e45f0d8ef77d79d7029dafcfc9b581d30d96cb468eed64d9dd65b6b800
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 75112476E00518FBCF12AB99D9418DEBBF4AF50750B104266F802B6210EB719F51DB90
                                                                                                                                                                                                  Function 00AC3C11 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 00AC3C2B
                                                                                                                                                                                                    • Part of subcall function 00AC3B78: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00AC3BA7
                                                                                                                                                                                                    • Part of subcall function 00AC3B78: ___AdjustPointer.LIBCMT ref: 00AC3BC2
                                                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 00AC3C40
                                                                                                                                                                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00AC3C51
                                                                                                                                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 00AC3C79
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 737400349-0
                                                                                                                                                                                                  • Opcode ID: 062fd080a1f6bfeae541c6f5eb86bd5f7f9a8e91848704cd428962861c4ced43
                                                                                                                                                                                                  • Instruction ID: 36b9a2230fe693998b026a860d86d3b89ed03182cf76f2f295901c1f6d3fa361
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 062fd080a1f6bfeae541c6f5eb86bd5f7f9a8e91848704cd428962861c4ced43
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77012933500148BBCF126F95DD41EEF7B69EF89754F068018FE08A6121C736E9619BA4
                                                                                                                                                                                                  Function 00A99133 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00A9913F
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00A991A6
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get value as numeric for variable: %ls, xrefs: 00A99195
                                                                                                                                                                                                  • Failed to get value of variable: %ls, xrefs: 00A99179
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                  • String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
                                                                                                                                                                                                  • API String ID: 3168844106-4270472870
                                                                                                                                                                                                  • Opcode ID: d94791891a636bd3f3b4af5bb539563c807b13757b7bbe758deeab1eab14972e
                                                                                                                                                                                                  • Instruction ID: 049744eb4f6aa3f8062046383f7203904799f22a7d84a45e164fc1e5819ed19e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d94791891a636bd3f3b4af5bb539563c807b13757b7bbe758deeab1eab14972e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED017132A4112AFBCF519F98CC09B9F3BA8BF10765F204215FD05AA220C676DE1197D0
                                                                                                                                                                                                  Function 00A992A2 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00A992AE
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00A99315
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to get value of variable: %ls, xrefs: 00A992E8
                                                                                                                                                                                                  • Failed to get value as version for variable: %ls, xrefs: 00A99304
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                  • String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
                                                                                                                                                                                                  • API String ID: 3168844106-1851729331
                                                                                                                                                                                                  • Opcode ID: 140bcc970a077cb8fee9c7d72d7ff569d682fb25184de63b8271fadfbed02ee4
                                                                                                                                                                                                  • Instruction ID: 38e19d4b8cf57a744da00b53b9103b163ffcb1f0a6718f2726d1c0da7410a686
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 140bcc970a077cb8fee9c7d72d7ff569d682fb25184de63b8271fadfbed02ee4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C4018F36A41129FBCF22AF99CD05ECF3BA8AF10765F008129FC05AA261C735DE10A7D0
                                                                                                                                                                                                  Function 00A9F19E Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00AA8C6F,000000B8,00000000,?,00000000,753DB390), ref: 00A9F1AD
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(000000D0,?,00AA8C6F,000000B8,00000000,?,00000000,753DB390), ref: 00A9F1D0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Engine active cannot be changed because it was already in that state., xrefs: 00A9F1F3
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\userexperience.cpp, xrefs: 00A9F1E9
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                  • String ID: Engine active cannot be changed because it was already in that state.$c:\agent\_work\36\s\wix\src\burn\engine\userexperience.cpp
                                                                                                                                                                                                  • API String ID: 3168844106-3237756853
                                                                                                                                                                                                  • Opcode ID: 65038fbdfdb8c46c60bd8267be8b6bd4bab2d405493914912dfb1435ce76a3dd
                                                                                                                                                                                                  • Instruction ID: d86179a37f41236f676c100acaed8a9b59b475778ea880a04f6f1cafe18cc25b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 65038fbdfdb8c46c60bd8267be8b6bd4bab2d405493914912dfb1435ce76a3dd
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 92F0AF37300216AF9B11EFAADC84D97B3EDBB99315310453AF606CB640EA70E90586A0
                                                                                                                                                                                                  Function 00A99233 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,00A9B599,00000000,?,00000000,00000000,00000000,?,00A9B3DA,00000000,?,00000000,00000000), ref: 00A9923F
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,00A9B599,00000000,?,00000000,00000000,00000000,?,00A9B3DA,00000000,?,00000000), ref: 00A99295
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to copy value of variable: %ls, xrefs: 00A99284
                                                                                                                                                                                                  • Failed to get value of variable: %ls, xrefs: 00A99265
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                  • String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
                                                                                                                                                                                                  • API String ID: 3168844106-2936390398
                                                                                                                                                                                                  • Opcode ID: 49104ce66972952cf3bfedcba1df7f2863eacd301aa9d3c8dfddf3638aa5531c
                                                                                                                                                                                                  • Instruction ID: 9abf81afb6417764dcda91616893ba5248baedbd3d2274ad2eaaabbea5851afa
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 49104ce66972952cf3bfedcba1df7f2863eacd301aa9d3c8dfddf3638aa5531c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A1F04936A40169BBCF02AF98CD05ECE7FA8EF14365F008215FD05AA221C776DE11ABD4
                                                                                                                                                                                                  Function 00AD39C6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WriteConsoleW.KERNEL32(?,00AFB9F8,00000000,00000000,?,?,00AD2B4B,?,00000001,?,00AFB9F8,?,00AD16D9,00AFB9F8,?,00000000), ref: 00AD39DD
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00AD2B4B,?,00000001,?,00AFB9F8,?,00AD16D9,00AFB9F8,?,00000000,00AFB9F8,00AFB9F8,?,00AD1C60,?), ref: 00AD39E9
                                                                                                                                                                                                    • Part of subcall function 00AD39AF: CloseHandle.KERNEL32(FFFFFFFE,00AD39F9,?,00AD2B4B,?,00000001,?,00AFB9F8,?,00AD16D9,00AFB9F8,?,00000000,00AFB9F8,00AFB9F8), ref: 00AD39BF
                                                                                                                                                                                                  • ___initconout.LIBCMT ref: 00AD39F9
                                                                                                                                                                                                    • Part of subcall function 00AD3971: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00AD39A0,00AD2B38,00AFB9F8,?,00AD16D9,00AFB9F8,?,00000000,00AFB9F8), ref: 00AD3984
                                                                                                                                                                                                  • WriteConsoleW.KERNEL32(?,00AFB9F8,00000000,00000000,?,00AD2B4B,?,00000001,?,00AFB9F8,?,00AD16D9,00AFB9F8,?,00000000,00AFB9F8), ref: 00AD3A0E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 2744216297-0
                                                                                                                                                                                                  • Opcode ID: fdb8ba62dbd3a3e9a0d117578dac99fd634b560d710f39e9ca007de8d22383ed
                                                                                                                                                                                                  • Instruction ID: 40abe6170726bf6c918459d5dfb7b281f627c478ac84a80a5289e4bf6cdca046
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fdb8ba62dbd3a3e9a0d117578dac99fd634b560d710f39e9ca007de8d22383ed
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9AF0AC37601115BBCF22BFE5DC19AA97F66EB483E1B044512FE1A95270C6328921DB92
                                                                                                                                                                                                  Function 00A95520 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00A9569B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp, xrefs: 00A95688
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp
                                                                                                                                                                                                  • API String ID: 3535843008-90795250
                                                                                                                                                                                                  • Opcode ID: 09579d61b380030eb7100540c5c1383c687e295e20248cea4e79013bc3b4024f
                                                                                                                                                                                                  • Instruction ID: b823121639f70acd0dce8875d1023a2cfeeb700be5002877f11b7b4d113f9077
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 09579d61b380030eb7100540c5c1383c687e295e20248cea4e79013bc3b4024f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6141E432F01925EBDF278BB4CD16BAD77F1AB40720F598165AE05AB161E734CE40DB80
                                                                                                                                                                                                  Function 00A93E78 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A9582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00AFEBD4,00000000,?,00AD8E2A,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A95840
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,?,00000000,00000101), ref: 00A93FD9
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                                  • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                                                                                                                                  • API String ID: 47109696-3023217399
                                                                                                                                                                                                  • Opcode ID: 9309c60abd2cdefe60cf881277accd155a04dbe1388feee33c6077601a71ed2b
                                                                                                                                                                                                  • Instruction ID: 1c6f64600f5574d2e2c9f5fe16ceedcebbcefd2da9bb1c6a802d8b7244807092
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9309c60abd2cdefe60cf881277accd155a04dbe1388feee33c6077601a71ed2b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0415B72F00219EBCF21DF98C985AAEBBF5EF44750F2540AAE501AB211EB319F41DB50
                                                                                                                                                                                                  Function 00A95967 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A959DD
                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00A95A15
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp, xrefs: 00A95A51
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: QueryValue
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp
                                                                                                                                                                                                  • API String ID: 3660427363-90795250
                                                                                                                                                                                                  • Opcode ID: cc722e1d6c87b1163d4a1af1ae1737463ab4fdaa736d18ae84d8c7e8b82990d7
                                                                                                                                                                                                  • Instruction ID: 88f456d8c7f55cd3958549d15fb0fba109ac8756fb2c84213148935dbb0b0f3d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc722e1d6c87b1163d4a1af1ae1737463ab4fdaa736d18ae84d8c7e8b82990d7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8415432E0052AFBDF12DFA8C9869AEB7F9AF05390F108269E911A7650D730DE11DB54
                                                                                                                                                                                                  Function 00AC90C5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe$n k
                                                                                                                                                                                                  • API String ID: 0-1663389430
                                                                                                                                                                                                  • Opcode ID: 59419985821be0554c89dee8011f5880a5e260295ae3da52e7ae6bf9dc3b5b3b
                                                                                                                                                                                                  • Instruction ID: 20c0643a02dc3520b6290e61710fb2d417bb658b031ad2056a7996c5bc06c6e8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 59419985821be0554c89dee8011f5880a5e260295ae3da52e7ae6bf9dc3b5b3b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B319576A04219AFCB21DFD48DCAEAFBBB8EF45750B16416EE50997211D6308E01C750
                                                                                                                                                                                                  Function 00AC2C70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00AC2CA3
                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00AC2D5C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                  • API String ID: 3480331319-1018135373
                                                                                                                                                                                                  • Opcode ID: fc394db8b2c8fc772c5db6240fe2df9d2644d5da743233e65952329640c4e9ef
                                                                                                                                                                                                  • Instruction ID: 4afdc2481cb0939d7218d9162cb120469203e8258d78484cacc78f1682d008f5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc394db8b2c8fc772c5db6240fe2df9d2644d5da743233e65952329640c4e9ef
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B41B035E00209ABCF11DFA8C844FEEBBB5BF55324F158159E916AB392DB319E05CB90
                                                                                                                                                                                                  Function 00ADC553 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00ADC444: lstrlenW.KERNEL32(00000100,?,?,?,00ADC7E4,000002C0,00000100,00000100,00000100,?,?,?,00AB98FA,?,?,000001BC), ref: 00ADC469
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,00ADE500,wininet.dll,?), ref: 00ADC653
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,00ADE500,wininet.dll,?), ref: 00ADC660
                                                                                                                                                                                                    • Part of subcall function 00A9582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00AFEBD4,00000000,?,00AD8E2A,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A95840
                                                                                                                                                                                                    • Part of subcall function 00A95711: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00ABA97E), ref: 00A9576C
                                                                                                                                                                                                    • Part of subcall function 00A95711: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00ABA97E,00000000), ref: 00A9578A
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Close$EnumInfoOpenQuerylstrlen
                                                                                                                                                                                                  • String ID: wininet.dll
                                                                                                                                                                                                  • API String ID: 2680864210-3354682871
                                                                                                                                                                                                  • Opcode ID: bc9e563edbbbd14570fd0c430e298a84184d560661de2ce5c653c8956824443b
                                                                                                                                                                                                  • Instruction ID: a2a039348aef7ae190329cc150ea9481f09b0aea25f5abb6b9ce29af52d6b381
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc9e563edbbbd14570fd0c430e298a84184d560661de2ce5c653c8956824443b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A312F72C0112ABFCF11AFD4CE818AEFBB5EF44360F956166E90276221D7319E50DB90
                                                                                                                                                                                                  Function 00A951E5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: _memcpy_s
                                                                                                                                                                                                  • String ID: crypt32.dll$wininet.dll
                                                                                                                                                                                                  • API String ID: 2001391462-82500532
                                                                                                                                                                                                  • Opcode ID: 59fd57b86b399a8220e6a168d4e9898f202bf9281ac66c6c48f50d2de842fe61
                                                                                                                                                                                                  • Instruction ID: fcb48063a9a0183633cc00fb813ec77a68027a8cc05bedaafcb4a33c6ccfad6e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 59fd57b86b399a8220e6a168d4e9898f202bf9281ac66c6c48f50d2de842fe61
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 57115E71B00619AFCF08DF69CDD699F7FA9EF95294B15812AFD054B351D230E9108BE0
                                                                                                                                                                                                  Function 00AA5764 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A9582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00AFEBD4,00000000,?,00AD8E2A,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A95840
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000000,?,?,?,?,00AA5C74,feclient.dll,?,00000000,?,?,?,00A967E0), ref: 00AA5805
                                                                                                                                                                                                    • Part of subcall function 00A95967: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A959DD
                                                                                                                                                                                                    • Part of subcall function 00A95967: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00A95A15
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Logging, xrefs: 00AA5792
                                                                                                                                                                                                  • SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00AA577B
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: QueryValue$CloseOpen
                                                                                                                                                                                                  • String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer
                                                                                                                                                                                                  • API String ID: 1586453840-387823766
                                                                                                                                                                                                  • Opcode ID: 41181354785c178f6f4cdb59820ce79f23b524df0c274687e450e40b60f08009
                                                                                                                                                                                                  • Instruction ID: 465c1152f79198f9c91f84cca701da5da4ee0f3ab1a3ad6a882be1e19800ee39
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 41181354785c178f6f4cdb59820ce79f23b524df0c274687e450e40b60f08009
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E211D036A41615EBEF25EB64C946BBE77A8AB05751FA04856EC01BB0C0C7708E41DB58
                                                                                                                                                                                                  Function 00A95D90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegSetValueExW.ADVAPI32(00020006,00AE4178,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,00AA1017,00000000,?,00020006), ref: 00A95DC3
                                                                                                                                                                                                  • RegDeleteValueW.ADVAPI32(00020006,00AE4178,00000000,?,?,00AA1017,00000000,?,00020006,?,00AE4178,00020006,00000000,?,?,?), ref: 00A95DF3
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp, xrefs: 00A95E27
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Value$Delete
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp
                                                                                                                                                                                                  • API String ID: 1738766685-90795250
                                                                                                                                                                                                  • Opcode ID: 124de83d6693981bd00251de995d477fbc4ecad96feb65491492b8742e75bc49
                                                                                                                                                                                                  • Instruction ID: 0a5415b8c028f4ca8b17256c71057e57168f9738dfb7da4fa78adff605323648
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 124de83d6693981bd00251de995d477fbc4ecad96feb65491492b8742e75bc49
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C119136E0493AB7DF239BB48C06BAE76E5AB04760F154125BE01AA190D632CE1097E0
                                                                                                                                                                                                  Function 00A9FA90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,00AB9214,00000000,IGNOREDEPENDENCIES,00000000,?,00ADE518), ref: 00A9FAE1
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to copy the property value., xrefs: 00A9FB15
                                                                                                                                                                                                  • IGNOREDEPENDENCIES, xrefs: 00A9FA98
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                                                  • String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
                                                                                                                                                                                                  • API String ID: 1825529933-1412343224
                                                                                                                                                                                                  • Opcode ID: d7e995ce56f63b9fa9d467a35b901241edbbef7c88cbcb87e8c6f20feafbdaf3
                                                                                                                                                                                                  • Instruction ID: bebb7d1b244dcc918611f40e8e679d839c33b50f5ad7664b93764dd93c115d92
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d7e995ce56f63b9fa9d467a35b901241edbbef7c88cbcb87e8c6f20feafbdaf3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96119E32704215AFDF108F59CC84FAAB7E5EB143A4F354276FA19DB2A1C770A850C780
                                                                                                                                                                                                  Function 00AA7474 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CoInitializeEx.OLE32(00000000,00000000), ref: 00AA7491
                                                                                                                                                                                                  • CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 00AA74EA
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to initialize COM on cache thread., xrefs: 00AA74A6
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: InitializeUninitialize
                                                                                                                                                                                                  • String ID: Failed to initialize COM on cache thread.
                                                                                                                                                                                                  • API String ID: 3442037557-3629645316
                                                                                                                                                                                                  • Opcode ID: 40231c4e767af561a8ba3245791a9d431aeac1a0f0bedb7a175bf54798bafc5b
                                                                                                                                                                                                  • Instruction ID: a78dc7f794a97dc023f4f70b35e7dfa0f8d7919beb28b2ee0ccbe21b8a7f4c94
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 40231c4e767af561a8ba3245791a9d431aeac1a0f0bedb7a175bf54798bafc5b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C016172600619BFDB059FA5DC84DEBFFACFF09354B004126F50A97261DB70AD508BA0
                                                                                                                                                                                                  Function 00AD8C8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53sleepCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,00AAAAEB,?,00000001,20000004,00000000,00000000,?,00000000), ref: 00AD8CBB
                                                                                                                                                                                                  • SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00AAAAEB,?), ref: 00AD8CD6
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\aclutil.cpp, xrefs: 00AD8CFA
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: InfoNamedSecuritySleep
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\aclutil.cpp
                                                                                                                                                                                                  • API String ID: 2352087905-3174441122
                                                                                                                                                                                                  • Opcode ID: f604328aea018fc835e5a5befef2a4c1eaf952459a1b5add094cd2871396bbff
                                                                                                                                                                                                  • Instruction ID: 8dfbe81d6cc65e39746bdc1bf9b715be6d0b43a3986496b9ca996ba6c0ed2526
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f604328aea018fc835e5a5befef2a4c1eaf952459a1b5add094cd2871396bbff
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D018277902129FBCF229F88CD05ECE7A75EF44754F020212BD4566260C6398D11E790
                                                                                                                                                                                                  Function 00A91FC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • LCMapStringW.KERNEL32(0000007F,00000000,00000000,00AA8D17,00000000,00AA8D17,00000000,00000000,00AA8D17,00000000,00000000,00000000,?,00A92DF4,00000000,00000000), ref: 00A92009
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00A92DF4,00000000,00000000,00AA8D17,00000200,?,00AD8906,00000000,00AA8D17,00000000,00AA8D17,00000000,00000000,00000000), ref: 00A92013
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\strutil.cpp, xrefs: 00A92037
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastString
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\strutil.cpp
                                                                                                                                                                                                  • API String ID: 3728238275-3940310746
                                                                                                                                                                                                  • Opcode ID: fcaeb0146a54a54f820cbe24c3322762e01d470270547cd1b135cc01bf0839a1
                                                                                                                                                                                                  • Instruction ID: 3970a8f87e92a707bbc516d7ad1048e8bf19e68b32d0983dbb2a61a790003e65
                                                                                                                                                                                                  • Opcode Fuzzy Hash: fcaeb0146a54a54f820cbe24c3322762e01d470270547cd1b135cc01bf0839a1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF019E33741636778F219A998D44F5BBAA8AF55B60B014216FE10AF261E621DC10C7E1
                                                                                                                                                                                                  Function 00AD7FFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00AD8043
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00AD8076
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: String$AllocFree
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp
                                                                                                                                                                                                  • API String ID: 344208780-1984227935
                                                                                                                                                                                                  • Opcode ID: 25bfb1d0c5096618be448d104d8b3e08753f76da601d737ece8966663ca18564
                                                                                                                                                                                                  • Instruction ID: 76c34794f9ef4cc47f07a3bd2a1d71878c61cd9ceea37d8142f1803c8ca75b38
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25bfb1d0c5096618be448d104d8b3e08753f76da601d737ece8966663ca18564
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8801A235780216BBDB209B949D09E7B36A8EF54BA0F010137FD06EF340DA698C0496A1
                                                                                                                                                                                                  Function 00AD7F78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00AD7FBD
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00AD7FF0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: String$AllocFree
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp
                                                                                                                                                                                                  • API String ID: 344208780-1984227935
                                                                                                                                                                                                  • Opcode ID: f0fd89839ed57708df4dba67a4461e002267afcfef44cf820a448a5ae2bfdf14
                                                                                                                                                                                                  • Instruction ID: 1b60f96614f5d37d6d06efd7b8d18204620441ff09acc39ccd5518a78cf75167
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f0fd89839ed57708df4dba67a4461e002267afcfef44cf820a448a5ae2bfdf14
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B018F75648216ABDB309B544D04EBF76A8EF58760F110537FE06EF340EA64CC00D6A1
                                                                                                                                                                                                  Function 00AD8243 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00A9582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00AFEBD4,00000000,?,00AD8E2A,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A95840
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00AD80E3,?), ref: 00AD82B4
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • EnableLUA, xrefs: 00AD8286
                                                                                                                                                                                                  • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00AD825E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                                  • String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                                                                                                                                                                                  • API String ID: 47109696-3551287084
                                                                                                                                                                                                  • Opcode ID: f783bdc4087b2d6a8db311c747d5205499feda85d8bef1a26a5cfe7b0006b6f1
                                                                                                                                                                                                  • Instruction ID: 91a6460d91209f2ca87609629ddeb07c426abc757cd219df75a26ecde0ee77de
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f783bdc4087b2d6a8db311c747d5205499feda85d8bef1a26a5cfe7b0006b6f1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D01D472D11228FBDB11A7A4CC0ABEEFAB8AF14721F214165A902B7150D7785E40D7D0
                                                                                                                                                                                                  Function 00AD9EDB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00AD9F3A
                                                                                                                                                                                                    • Part of subcall function 00ADBD21: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00ADBE2E
                                                                                                                                                                                                    • Part of subcall function 00ADBD21: GetLastError.KERNEL32 ref: 00ADBE38
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • clbcatq.dll, xrefs: 00AD9F07
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\atomutil.cpp, xrefs: 00AD9F28
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Time$ErrorFileFreeLastStringSystem
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\atomutil.cpp$clbcatq.dll
                                                                                                                                                                                                  • API String ID: 211557998-3585793889
                                                                                                                                                                                                  • Opcode ID: 148bd8bb8a48076e921cd121b01452d5ddabf9ad2be774aecb3df90000998ba4
                                                                                                                                                                                                  • Instruction ID: caa5e2236342baa5cca2679becdeebf5933f9f26f660e51544beef417ab6d9fa
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 148bd8bb8a48076e921cd121b01452d5ddabf9ad2be774aecb3df90000998ba4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 63016271901116FB8B10AF85D9818ABFB78FB18764B50417BF546E7210D330DD00DBE0
                                                                                                                                                                                                  Function 00A9821D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00A9822F
                                                                                                                                                                                                    • Part of subcall function 00AD5CD2: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00A97B69,00000000), ref: 00AD5CE7
                                                                                                                                                                                                    • Part of subcall function 00AD5CD2: GetProcAddress.KERNEL32(00000000), ref: 00AD5CEE
                                                                                                                                                                                                    • Part of subcall function 00AD5CD2: GetLastError.KERNEL32(?,?,?,?,00A97B69,00000000), ref: 00AD5D09
                                                                                                                                                                                                    • Part of subcall function 00A9799D: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00A97A23
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to set variant value., xrefs: 00A9826C
                                                                                                                                                                                                  • Failed to get 64-bit folder., xrefs: 00A98252
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
                                                                                                                                                                                                  • String ID: Failed to get 64-bit folder.$Failed to set variant value.
                                                                                                                                                                                                  • API String ID: 3109562764-2681622189
                                                                                                                                                                                                  • Opcode ID: ba54204154b724cff490a2af10894f01a1ef6739eb1eff59413d6994bf97b762
                                                                                                                                                                                                  • Instruction ID: dc9171408670d4901274b787d9e2eab3a9dbe7307f7dcaac1289e29596bac218
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ba54204154b724cff490a2af10894f01a1ef6739eb1eff59413d6994bf97b762
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B01D672E00628BBCF11ABA0DD05ADE77B8EF00B61F200152F441B6110DA74AF40D7D0
                                                                                                                                                                                                  Function 00A94E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00A9114E,?,00000000), ref: 00A94E5B
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00A9114E,?,00000000), ref: 00A94E72
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\pathutil.cpp, xrefs: 00A94E96
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\pathutil.cpp
                                                                                                                                                                                                  • API String ID: 2776309574-3540446462
                                                                                                                                                                                                  • Opcode ID: 0b44d157e30fa6873673bc4858ea43a48d861e1c46ca7d6175048f612ca492a5
                                                                                                                                                                                                  • Instruction ID: 8c0f18a104bbe320bb6874431f2a12ae3951bc9e043a2756d55a2cb396ef97d3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0b44d157e30fa6873673bc4858ea43a48d861e1c46ca7d6175048f612ca492a5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0BF06833B41131679F2196999C44ED7BBE9BB55B60B560212FE45AF250D670DC0186E0
                                                                                                                                                                                                  Function 00AC039F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00AC0CC2
                                                                                                                                                                                                    • Part of subcall function 00AC2ECD: RaiseException.KERNEL32(?,?,?,00AC0CE4,?,00000000,00000000,?,?,?,?,?,00AC0CE4,?,00AFB5D0), ref: 00AC2F2D
                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00AC0CDF
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                                                  • String ID: Unknown exception
                                                                                                                                                                                                  • API String ID: 3476068407-410509341
                                                                                                                                                                                                  • Opcode ID: 6bc82c30cdeba389b59c15cbc24f34912ee7c926213ced6661ff086280c63003
                                                                                                                                                                                                  • Instruction ID: a8f1e84d03f6d0e499ffee1079d12964aba327a1d17db495ef9fc7b32d80882b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6bc82c30cdeba389b59c15cbc24f34912ee7c926213ced6661ff086280c63003
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33F0C83890420DFBCB04B6E4ED55F6A777C5E00310B52472CBD14D5591EBB0DA0586D1
                                                                                                                                                                                                  Function 00A940DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetFileSizeEx.KERNEL32(00000000,00000000,00000000,76F934C0,?,?,?,00A9D729,?,?,?,00000000,00000000), ref: 00A940F6
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00A9D729,?,?,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 00A94100
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 00A94124
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastSize
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                                                                                                                                                                                  • API String ID: 464720113-1339450348
                                                                                                                                                                                                  • Opcode ID: f6095bdc5c3b03202c15e705ca21922bd520d001d883e689802bb04bf1237748
                                                                                                                                                                                                  • Instruction ID: b969c3f72c185cd473af90209f53b59d3aa6acca9af27a2fb74ead93b8ea039f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f6095bdc5c3b03202c15e705ca21922bd520d001d883e689802bb04bf1237748
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6F044B6B11236AB9B109B85CD4595AFBE8EF28B50B114216FC45AB340E670AD41C7D1
                                                                                                                                                                                                  Function 00AD83D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35comCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,00A9712C,?,00000000,00A9712C,?,?,?), ref: 00AD83F9
                                                                                                                                                                                                  • CoCreateInstance.OLE32(00000000,00000000,00000001,00AFACCC,?), ref: 00AD8411
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Microsoft.Update.AutoUpdate, xrefs: 00AD83F4
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateFromInstanceProg
                                                                                                                                                                                                  • String ID: Microsoft.Update.AutoUpdate
                                                                                                                                                                                                  • API String ID: 2151042543-675569418
                                                                                                                                                                                                  • Opcode ID: b2d95175683fbed25b4440cb32412bb7ed28e3ee6b23555068ce2cd5489728fc
                                                                                                                                                                                                  • Instruction ID: 5f0559ff77ec589d70453b877994fddb3b71199b6e7ea6c84a5a8247921f1dce
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2d95175683fbed25b4440cb32412bb7ed28e3ee6b23555068ce2cd5489728fc
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2AF0F4B1641619BBD700EBF9DD05EFFB7B8EB48710F414425F602E7150D674AE05C662
                                                                                                                                                                                                  Function 00AD784C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00AD7861
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00AD7891
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp, xrefs: 00AD7875
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: String$AllocFree
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp
                                                                                                                                                                                                  • API String ID: 344208780-1984227935
                                                                                                                                                                                                  • Opcode ID: 68979648450530b423fe678a3cbca2ea785b4f67b173ca141457c86562104680
                                                                                                                                                                                                  • Instruction ID: 1d54ac1fde020987337eaaa4aeb0b6c422b9faf9616a805b093ac2abf3ec2408
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 68979648450530b423fe678a3cbca2ea785b4f67b173ca141457c86562104680
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2F09A35A45225ABC7219B509C08FAF7BB5AB80B61F15012AFC0A6F310E7759890EAA1
                                                                                                                                                                                                  Function 00AD7AF1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00AD7B06
                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00AD7B36
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp, xrefs: 00AD7B1D
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: String$AllocFree
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp
                                                                                                                                                                                                  • API String ID: 344208780-1984227935
                                                                                                                                                                                                  • Opcode ID: 494909c200785eea34de52a119502dc888dde0e692829577514ae58940e0293a
                                                                                                                                                                                                  • Instruction ID: 53aa3088d7b4a0feda2b78bcfe5c669d53454f5b27f6a82de5d9e5a654837886
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 494909c200785eea34de52a119502dc888dde0e692829577514ae58940e0293a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 68F0BE35245229EBCB269F849C08EAF7B68EB40B64B110127FC0BAF310E774DC409AE1
                                                                                                                                                                                                  Function 00A97F2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000), ref: 00A97F37
                                                                                                                                                                                                    • Part of subcall function 00AD5BCA: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,00A97F43,00000000), ref: 00AD5BDC
                                                                                                                                                                                                    • Part of subcall function 00AD5BCA: GetProcAddress.KERNEL32(00000000), ref: 00AD5BE3
                                                                                                                                                                                                    • Part of subcall function 00AD5BCA: GetLastError.KERNEL32(?,?,?,00A97F43,00000000), ref: 00AD5C02
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to set variant value., xrefs: 00A97F6A
                                                                                                                                                                                                  • Failed to get native machine value., xrefs: 00A97F49
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressCurrentErrorHandleLastModuleProcProcess
                                                                                                                                                                                                  • String ID: Failed to get native machine value.$Failed to set variant value.
                                                                                                                                                                                                  • API String ID: 896058289-851826934
                                                                                                                                                                                                  • Opcode ID: 156fab9e134faa0e807ee83a412d0ec68bf435bcebd737ec7a87208f59e3beb5
                                                                                                                                                                                                  • Instruction ID: 9bfceb7a4f69366db841fbcdef6bb402fdd903bb469627c75c253526bc994936
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 156fab9e134faa0e807ee83a412d0ec68bf435bcebd737ec7a87208f59e3beb5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B6F08272A58664768F1166A89D05DBE76EC9B01765B104252F801F6240DA65DE40C2B4
                                                                                                                                                                                                  Function 00A956C9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00A956EA
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                                                                  • String ID: AdvApi32.dll$RegDeleteKeyExW
                                                                                                                                                                                                  • API String ID: 190572456-850864035
                                                                                                                                                                                                  • Opcode ID: 9eb88326f7064eedc73e684732e15baed2802955c061df492002c3336b9d1103
                                                                                                                                                                                                  • Instruction ID: f3bf5d0c71a0d58d21300de0635af4762d63bb7e03e619fbf54da7ccb369b381
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9eb88326f7064eedc73e684732e15baed2802955c061df492002c3336b9d1103
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9DE0C270B01222ABD701FBF4FC46B213AE0B300B81F008952F103AA2B0E3B05842CBC4
                                                                                                                                                                                                  Function 00ACCD6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000004.00000002.1621884409.0000000000A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A90000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621858900.0000000000A90000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621965061.0000000000AFE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000004.00000002.1621985690.0000000000B01000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_a90000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CommandLine
                                                                                                                                                                                                  • String ID: n k
                                                                                                                                                                                                  • API String ID: 3253501508-4075594570
                                                                                                                                                                                                  • Opcode ID: e2a04124e8ab22e484d9a1d2afd264bee6a1bfb3b7853dc631d5702367f539d2
                                                                                                                                                                                                  • Instruction ID: f98edd17347207294f8522c2c79a64242e90d4fb1fe0e95727ba3c7177c0d824
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e2a04124e8ab22e484d9a1d2afd264bee6a1bfb3b7853dc631d5702367f539d2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B3B048788022008F8B00EFE4A90C0953BA8BA0830638021A7D84AC6330D7348112CA00

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 00391700 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 313fileCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 702 391700-391770 call 3c0ec0 * 2 GetFileAttributesW 707 391772-391779 GetLastError 702->707 708 3917a4-3917a7 702->708 711 39177b-39177d 707->711 712 39177e-391780 707->712 709 391ae9 708->709 710 3917ad-3917b0 708->710 717 391aee-391af7 709->717 713 3917e9-3917f0 710->713 714 3917b2-3917c5 SetFileAttributesW 710->714 711->712 715 39178d 712->715 716 391782-39178b 712->716 719 3917fc-391802 713->719 720 3917f2-3917f6 713->720 714->713 718 3917c7-3917cd GetLastError 714->718 715->708 721 39178f-391790 715->721 716->715 722 391af9-391afa FindClose 717->722 723 391b00-391b07 717->723 724 3917da 718->724 725 3917cf-3917d8 718->725 726 391a99 719->726 727 391808-39180c 719->727 720->719 720->726 728 391795-39179f call 3913b3 721->728 722->723 729 391b09-391b0f call 393136 723->729 730 391b14-391b24 call 3c0093 723->730 733 3917dc 724->733 734 3917e1-3917e7 724->734 725->724 731 391a9f-391aa8 RemoveDirectoryW 726->731 735 391849-391865 call 3947cb 727->735 736 39180e-391822 GetTempPathW 727->736 728->723 729->730 731->717 739 391aaa-391ab0 GetLastError 731->739 733->734 734->728 735->723 749 39186b-391887 FindFirstFileW 735->749 736->735 742 391824-39182a GetLastError 736->742 744 391abb-391ac1 739->744 745 391ab2-391ab5 739->745 747 39182c-391835 742->747 748 391837 742->748 750 391ada-391adc 744->750 751 391ac3-391ac7 744->751 745->744 747->748 752 391839 748->752 753 39183e-391844 748->753 754 391889-39188f GetLastError 749->754 755 3918ae-3918b8 749->755 750->717 757 391ade-391ae4 750->757 756 391ac9-391ad6 MoveFileExW 751->756 751->757 752->753 753->728 758 39189c 754->758 759 391891-39189a 754->759 762 3918ba-3918c3 755->762 763 3918df-391900 call 3947cb 755->763 756->757 760 391ad8 756->760 761 391a19-391a23 call 3913b3 757->761 765 39189e 758->765 766 3918a3-3918a4 758->766 759->758 760->750 761->717 768 3918c9-3918d0 762->768 769 3919dc-3919ec FindNextFileW 762->769 763->717 775 391906-391910 763->775 765->766 766->755 768->763 774 3918d2-3918d9 768->774 771 391a6c-391a71 GetLastError 769->771 772 3919ee-3919f4 769->772 776 391a73-391a75 771->776 777 391a77-391a7d GetLastError 771->777 772->755 774->763 774->769 778 39193f-391946 775->778 779 391912-391914 775->779 776->731 780 391a8a 777->780 781 391a7f-391a88 777->781 783 39194c-39194e 778->783 784 3919d6 778->784 779->778 782 391916-391926 call 394574 779->782 785 391a8c 780->785 786 391a91-391a97 780->786 781->780 782->717 793 39192c-391935 call 391700 782->793 788 391969-391977 DeleteFileW 783->788 789 391950-391963 SetFileAttributesW 783->789 784->769 785->786 786->761 788->784 792 391979-39197d 788->792 789->788 791 3919f9-3919ff GetLastError 789->791 794 391a0c 791->794 795 391a01-391a0a 791->795 796 391a4a-391a50 GetLastError 792->796 797 391983-3919a0 GetTempFileNameW 792->797 811 39193a 793->811 803 391a0e 794->803 804 391a13-391a14 794->804 795->794 800 391a5d 796->800 801 391a52-391a5b 796->801 798 391a28-391a2e GetLastError 797->798 799 3919a6-3919c3 MoveFileExW 797->799 805 391a3b 798->805 806 391a30-391a39 798->806 807 3919ce 799->807 808 3919c5-3919cc 799->808 809 391a5f 800->809 810 391a64-391a6a 800->810 801->800 803->804 804->761 812 391a3d 805->812 813 391a42-391a48 805->813 806->805 814 3919d4 MoveFileExW 807->814 808->814 809->810 810->761 811->784 812->813 813->761 814->784
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00000000,?), ref: 0039175F
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,?), ref: 00391772
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,00000000,?), ref: 003917BD
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,?), ref: 003917C7
                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,00000000,?), ref: 0039181A
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,?), ref: 00391824
                                                                                                                                                                                                  • FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,?,00000000,?), ref: 00391878
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,?), ref: 00391889
                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000000,?), ref: 0039195B
                                                                                                                                                                                                  • DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,?), ref: 0039196F
                                                                                                                                                                                                  • GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,?,00000000,?), ref: 00391998
                                                                                                                                                                                                  • MoveFileExW.KERNEL32(?,?,00000001,?,?,?,?,00000000,?), ref: 003919BB
                                                                                                                                                                                                  • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,?,00000000,?), ref: 003919D4
                                                                                                                                                                                                  • FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,?,?,?,00000000,?), ref: 003919E4
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,?), ref: 003919F9
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,?), ref: 00391A28
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,?), ref: 00391A4A
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,?), ref: 00391A6C
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,?), ref: 00391A77
                                                                                                                                                                                                  • RemoveDirectoryW.KERNELBASE(?,?,?,?,?,00000000,?), ref: 00391AA0
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,?), ref: 00391AAA
                                                                                                                                                                                                  • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,?,00000000,?), ref: 00391ACE
                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,?,?,?,?,00000000,?), ref: 00391AFA
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
                                                                                                                                                                                                  • String ID: *.*$DEL$c:\agent\_work\36\s\wix\src\libs\dutil\dirutil.cpp
                                                                                                                                                                                                  • API String ID: 1544372074-374933037
                                                                                                                                                                                                  • Opcode ID: f2115d108a64bd14c493c795622a53dd2a7ed392e06c63801f0aece72f7b66cf
                                                                                                                                                                                                  • Instruction ID: 91de5b2b2892c3dcf450ab2ed65019320d985cd7fd9a73b77e412f2f52325d04
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f2115d108a64bd14c493c795622a53dd2a7ed392e06c63801f0aece72f7b66cf
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 74A1F877E4223B97DF3356A58D09BAABA6D6F00760F064291ED04BB190D735CD80CBE0
                                                                                                                                                                                                  Function 003910E1 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 79fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 00394E3A: GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000000,00000104,?,00000000,00000000,?,003BCAA4,00000001,00000000,?,WixBundleSourceProcessPath,00000001,?), ref: 00394E5B
                                                                                                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 00391167
                                                                                                                                                                                                    • Part of subcall function 003914FE: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0039118B,cabinet.dll,00000009,?,?,00000000), ref: 0039150F
                                                                                                                                                                                                    • Part of subcall function 003914FE: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0039118B,cabinet.dll,00000009,?,?,00000000), ref: 0039151A
                                                                                                                                                                                                    • Part of subcall function 003914FE: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00391528
                                                                                                                                                                                                    • Part of subcall function 003914FE: GetLastError.KERNEL32(?,?,?,?,?,0039118B,cabinet.dll,00000009,?,?,00000000), ref: 00391543
                                                                                                                                                                                                    • Part of subcall function 003914FE: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0039154B
                                                                                                                                                                                                    • Part of subcall function 003914FE: GetLastError.KERNEL32(?,?,?,?,?,0039118B,cabinet.dll,00000009,?,?,00000000), ref: 00391560
                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,003DE4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 003911AA
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
                                                                                                                                                                                                  • String ID: `=$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$version.dll$wininet.dll$x=$=
                                                                                                                                                                                                  • API String ID: 3687706282-3709402922
                                                                                                                                                                                                  • Opcode ID: 8f1518de666eca6b203709744d525dc863f0755dd20a2fc3ab43f9bae637b434
                                                                                                                                                                                                  • Instruction ID: 8bfbdf160e75d8c26d4de06cf268e46b72ee21be441f3d1326d42ba99d342db1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f1518de666eca6b203709744d525dc863f0755dd20a2fc3ab43f9bae637b434
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22218276A01219ABDF12AFA5DC45BDEBBB8AB09714F114519F910BA290D7709904CBA0
                                                                                                                                                                                                  Function 003D506D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 131threadtimeCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(003FF764,00000000,?,?,?,?,003B2E9E,8007139F,Invalid operation for this state.,c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 003D509B
                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(00000000,?,003B2E9E,8007139F,Invalid operation for this state.,c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 003D50AB
                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 003D50B4
                                                                                                                                                                                                  • GetLocalTime.KERNEL32(8007139F,?,003B2E9E,8007139F,Invalid operation for this state.,c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 003D50CA
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(003FF764,003B2E9E,?,00000000,0000FDE9,?,003B2E9E,8007139F,Invalid operation for this state.,c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 003D51C1
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • h=, xrefs: 003D5135
                                                                                                                                                                                                  • %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 003D5167
                                                                                                                                                                                                  • h=, xrefs: 003D5126
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
                                                                                                                                                                                                  • String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls$h=$h=
                                                                                                                                                                                                  • API String ID: 296830338-310950270
                                                                                                                                                                                                  • Opcode ID: 34505a55c009bac53bee08cd514b89b450583f77f7e095d83ed49f5fa3176064
                                                                                                                                                                                                  • Instruction ID: 5db0b40560064bf326b27f38b4af2c7fefec185a1d7077180f636dca5402d0ee
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34505a55c009bac53bee08cd514b89b450583f77f7e095d83ed49f5fa3176064
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F941A273E0061AAFDF23AFA5EC44BBEB7B8EB08751F110026F901E6250D6349D44C7A1
                                                                                                                                                                                                  Function 003A16B9 Relevance: 114.2, APIs: 3, Strings: 62, Instructions: 445COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 220 3a16b9-3a16ea call 3d7ffe 223 3a16ee-3a16f0 220->223 224 3a16ec 220->224 225 3a16f2-3a16ff call 3d53e7 223->225 226 3a1704-3a171d call 3d7952 223->226 224->223 231 3a1bec-3a1bf1 225->231 232 3a1729-3a173e call 3d7952 226->232 233 3a171f-3a1724 226->233 236 3a1bf9-3a1bfe 231->236 237 3a1bf3-3a1bf5 231->237 244 3a174a-3a1757 call 3a0733 232->244 245 3a1740-3a1745 232->245 234 3a1be3-3a1bea call 3d53e7 233->234 250 3a1beb 234->250 238 3a1c00-3a1c02 236->238 239 3a1c06-3a1c0b 236->239 237->236 238->239 242 3a1c0d-3a1c0f 239->242 243 3a1c13-3a1c17 239->243 242->243 247 3a1c19-3a1c1c call 393136 243->247 248 3a1c21-3a1c26 243->248 253 3a1759-3a175e 244->253 254 3a1763-3a1778 call 3d7952 244->254 245->234 247->248 250->231 253->234 257 3a177a-3a177f 254->257 258 3a1784-3a1796 call 39436c 254->258 257->234 261 3a1798-3a17a0 258->261 262 3a17a5-3a17ba call 3d7952 258->262 263 3a1a6f-3a1a78 call 3d53e7 261->263 267 3a17bc-3a17c1 262->267 268 3a17c6-3a17db call 3d7952 262->268 263->250 267->234 272 3a17dd-3a17e2 268->272 273 3a17e7-3a17f9 call 3d7b5e 268->273 272->234 276 3a17fb-3a1800 273->276 277 3a1805-3a181b call 3d7ffe 273->277 276->234 280 3a1aca-3a1ae4 call 3a09ad 277->280 281 3a1821-3a1823 277->281 288 3a1af0-3a1b08 call 3d7ffe 280->288 289 3a1ae6-3a1aeb 280->289 282 3a182f-3a1844 call 3d7b5e 281->282 283 3a1825-3a182a 281->283 290 3a1850-3a1865 call 3d7952 282->290 291 3a1846-3a184b 282->291 283->234 296 3a1b0e-3a1b10 288->296 297 3a1bd2-3a1bd3 call 3a0ddd 288->297 289->234 299 3a1867-3a1869 290->299 300 3a1875-3a188a call 3d7952 290->300 291->234 301 3a1b1c-3a1b3a call 3d7952 296->301 302 3a1b12-3a1b17 296->302 305 3a1bd8-3a1bdc 297->305 299->300 306 3a186b-3a1870 299->306 310 3a189a-3a18af call 3d7952 300->310 311 3a188c-3a188e 300->311 312 3a1b3c-3a1b41 301->312 313 3a1b46-3a1b5e call 3d7952 301->313 302->234 305->250 309 3a1bde 305->309 306->234 309->234 321 3a18bf-3a18d4 call 3d7952 310->321 322 3a18b1-3a18b3 310->322 311->310 314 3a1890-3a1895 311->314 312->234 319 3a1b6b-3a1b83 call 3d7952 313->319 320 3a1b60-3a1b62 313->320 314->234 329 3a1b90-3a1ba8 call 3d7952 319->329 330 3a1b85-3a1b87 319->330 320->319 323 3a1b64-3a1b69 320->323 331 3a18d6-3a18d8 321->331 332 3a18e4-3a18f9 call 3d7952 321->332 322->321 324 3a18b5-3a18ba 322->324 323->234 324->234 339 3a1baa-3a1baf 329->339 340 3a1bb1-3a1bc9 call 3d7952 329->340 330->329 334 3a1b89-3a1b8e 330->334 331->332 335 3a18da-3a18df 331->335 341 3a18fb-3a18fd 332->341 342 3a1909-3a191e call 3d7952 332->342 334->234 335->234 339->234 340->297 348 3a1bcb-3a1bd0 340->348 341->342 344 3a18ff-3a1904 341->344 349 3a192e-3a1943 call 3d7952 342->349 350 3a1920-3a1922 342->350 344->234 348->234 354 3a1953-3a1968 call 3d7952 349->354 355 3a1945-3a1947 349->355 350->349 351 3a1924-3a1929 350->351 351->234 359 3a196a-3a196c 354->359 360 3a1978-3a1990 call 3d7952 354->360 355->354 356 3a1949-3a194e 355->356 356->234 359->360 361 3a196e-3a1973 359->361 364 3a1992-3a1994 360->364 365 3a19a0-3a19b8 call 3d7952 360->365 361->234 364->365 366 3a1996-3a199b 364->366 369 3a19ba-3a19bc 365->369 370 3a19c8-3a19dd call 3d7952 365->370 366->234 369->370 371 3a19be-3a19c3 369->371 374 3a1a7d-3a1a7f 370->374 375 3a19e3-3a1a00 CompareStringW 370->375 371->234 378 3a1a8a-3a1a8c 374->378 379 3a1a81-3a1a88 374->379 376 3a1a0a-3a1a1f CompareStringW 375->376 377 3a1a02-3a1a08 375->377 383 3a1a2d-3a1a42 CompareStringW 376->383 384 3a1a21-3a1a2b 376->384 382 3a1a4b-3a1a50 377->382 380 3a1a98-3a1ab0 call 3d7b5e 378->380 381 3a1a8e-3a1a93 378->381 379->378 380->280 390 3a1ab2-3a1ab4 380->390 381->234 382->378 386 3a1a52-3a1a6a call 3913b3 383->386 387 3a1a44 383->387 384->382 386->263 387->382 392 3a1ac0 390->392 393 3a1ab6-3a1abb 390->393 392->280 393->234
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: StringVariant$AllocClearFreeInit
                                                                                                                                                                                                  • String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$c:\agent\_work\36\s\wix\src\burn\engine\registration.cpp$yes$
                                                                                                                                                                                                  • API String ID: 760788290-4060943106
                                                                                                                                                                                                  • Opcode ID: bbbc2d9edd6e6433e86ee8917dce842715c4b130ed63363493c0a251aa45ceee
                                                                                                                                                                                                  • Instruction ID: 3601e980b6c9ee25ac07cd8f2364f8c981925b1e859c89963e060376bf405816
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bbbc2d9edd6e6433e86ee8917dce842715c4b130ed63363493c0a251aa45ceee
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 27E1A433E446B6BBCB2796A1CC51EFD76A8EB06710F160365F960BB2D0E761AD0057D0
                                                                                                                                                                                                  Function 0039D197 Relevance: 93.3, APIs: 24, Strings: 29, Instructions: 577fileCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 394 39d197-39d20c call 3c0ec0 * 2 399 39d20e-39d218 GetLastError 394->399 400 39d244-39d24a 394->400 401 39d21a-39d223 399->401 402 39d225 399->402 403 39d24c 400->403 404 39d24e-39d260 SetFilePointerEx 400->404 401->402 405 39d22c-39d239 call 3913b3 402->405 406 39d227 402->406 403->404 407 39d262-39d26c GetLastError 404->407 408 39d294-39d2ae ReadFile 404->408 424 39d23e-39d23f 405->424 406->405 412 39d279 407->412 413 39d26e-39d277 407->413 409 39d2b0-39d2ba GetLastError 408->409 410 39d2e5-39d2ec 408->410 414 39d2bc-39d2c5 409->414 415 39d2c7 409->415 417 39d8e3-39d8f7 call 3913b3 410->417 418 39d2f2-39d2fb 410->418 419 39d27b 412->419 420 39d280-39d292 call 3913b3 412->420 413->412 414->415 422 39d2c9 415->422 423 39d2ce-39d2e0 call 3913b3 415->423 436 39d8fc 417->436 418->417 426 39d301-39d311 SetFilePointerEx 418->426 419->420 420->424 422->423 423->424 429 39d8fd-39d903 call 3d53e7 424->429 431 39d348-39d360 ReadFile 426->431 432 39d313-39d31d GetLastError 426->432 452 39d904-39d914 call 3c0093 429->452 433 39d362-39d36c GetLastError 431->433 434 39d397-39d39e 431->434 438 39d32a 432->438 439 39d31f-39d328 432->439 442 39d379 433->442 443 39d36e-39d377 433->443 445 39d8c8-39d8e1 call 3913b3 434->445 446 39d3a4-39d3ae 434->446 436->429 440 39d32c 438->440 441 39d331-39d33e call 3913b3 438->441 439->438 440->441 441->431 450 39d37b 442->450 451 39d380-39d38d call 3913b3 442->451 443->442 445->436 446->445 447 39d3b4-39d3d7 SetFilePointerEx 446->447 454 39d3d9-39d3e3 GetLastError 447->454 455 39d40e-39d426 ReadFile 447->455 450->451 451->434 460 39d3f0 454->460 461 39d3e5-39d3ee 454->461 462 39d428-39d432 GetLastError 455->462 463 39d45d-39d475 ReadFile 455->463 467 39d3f2 460->467 468 39d3f7-39d404 call 3913b3 460->468 461->460 469 39d43f 462->469 470 39d434-39d43d 462->470 465 39d4ac-39d4c7 SetFilePointerEx 463->465 466 39d477-39d481 GetLastError 463->466 474 39d4c9-39d4d3 GetLastError 465->474 475 39d501-39d520 ReadFile 465->475 471 39d48e 466->471 472 39d483-39d48c 466->472 467->468 468->455 476 39d441 469->476 477 39d446-39d453 call 3913b3 469->477 470->469 480 39d490 471->480 481 39d495-39d4a2 call 3913b3 471->481 472->471 483 39d4e0 474->483 484 39d4d5-39d4de 474->484 478 39d889-39d893 GetLastError 475->478 479 39d526-39d528 475->479 476->477 477->463 489 39d8a0 478->489 490 39d895-39d89e 478->490 487 39d529-39d530 479->487 480->481 481->465 491 39d4e2 483->491 492 39d4e7-39d4f7 call 3913b3 483->492 484->483 494 39d864-39d881 call 3913b3 487->494 495 39d536-39d542 487->495 497 39d8a2 489->497 498 39d8a7-39d8bd call 3913b3 489->498 490->489 491->492 492->475 510 39d886-39d887 494->510 502 39d54d-39d556 495->502 503 39d544-39d54b 495->503 497->498 509 39d8be-39d8c6 call 3d53e7 498->509 507 39d55c-39d582 ReadFile 502->507 508 39d827-39d83e call 3913b3 502->508 503->502 506 39d590-39d597 503->506 512 39d599-39d5bb call 3913b3 506->512 513 39d5c0-39d5d7 call 3950e9 506->513 507->478 511 39d588-39d58e 507->511 522 39d843-39d849 call 3d53e7 508->522 509->452 510->509 511->487 512->510 524 39d5d9-39d5f6 call 3913b3 513->524 525 39d5fb-39d610 SetFilePointerEx 513->525 530 39d84f-39d850 522->530 524->429 528 39d650-39d675 ReadFile 525->528 529 39d612-39d61c GetLastError 525->529 531 39d6ac-39d6b8 528->531 532 39d677-39d681 GetLastError 528->532 534 39d629 529->534 535 39d61e-39d627 529->535 536 39d851-39d853 530->536 539 39d6db-39d6df 531->539 540 39d6ba-39d6d6 call 3913b3 531->540 537 39d68e 532->537 538 39d683-39d68c 532->538 541 39d62b 534->541 542 39d630-39d640 call 3913b3 534->542 535->534 536->452 543 39d859-39d85f call 3951ae 536->543 544 39d690 537->544 545 39d695-39d6aa call 3913b3 537->545 538->537 548 39d71a-39d72d call 3940de 539->548 549 39d6e1-39d715 call 3913b3 call 3d53e7 539->549 540->522 541->542 560 39d645-39d64b call 3d53e7 542->560 543->452 544->545 545->560 562 39d739-39d743 548->562 563 39d72f-39d734 548->563 549->536 560->530 567 39d74d-39d755 562->567 568 39d745-39d74b 562->568 563->560 570 39d761-39d764 567->570 571 39d757-39d75f 567->571 569 39d766-39d7c6 call 3950e9 568->569 574 39d7c8-39d7e4 call 3913b3 569->574 575 39d7ea-39d80b call 3c1020 call 39cf14 569->575 570->569 571->569 574->575 575->536 582 39d80d-39d81d call 3913b3 575->582 582->508
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,7752C3F0,00000000), ref: 0039D20E
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D25C
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,7752C3F0,00000000), ref: 0039D262
                                                                                                                                                                                                  • ReadFile.KERNELBASE(00000000,9a9H,00000040,?,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D2AA
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,7752C3F0,00000000), ref: 0039D2B0
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D30D
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D313
                                                                                                                                                                                                  • ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D35C
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D362
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D3D3
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D3D9
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D422
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D428
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D471
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D477
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D4C3
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D4C9
                                                                                                                                                                                                    • Part of subcall function 003950E9: GetProcessHeap.KERNEL32(?,000001C7,?,00392D50,?,00000001,80004005,8007139F,?,?,003D5417,8007139F,?,00000000,00000000,8007139F), ref: 003950FA
                                                                                                                                                                                                    • Part of subcall function 003950E9: RtlAllocateHeap.NTDLL(00000000,?,00392D50,?,00000001,80004005,8007139F,?,?,003D5417,8007139F,?,00000000,00000000,8007139F), ref: 00395101
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D51C
                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D57E
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D608
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7752C3F0,00000000), ref: 0039D612
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
                                                                                                                                                                                                  • String ID: ($.wix$4$9a9H$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$c:\agent\_work\36\s\wix\src\burn\engine\section.cpp
                                                                                                                                                                                                  • API String ID: 3411815225-3527496202
                                                                                                                                                                                                  • Opcode ID: 2759f020efebbab229dc0b638ebca3746158d6bdc0605f89042239d299e2e8f1
                                                                                                                                                                                                  • Instruction ID: 9de27cd7e8637328bfd6a4335f1f615252a0293be0eaa1ba1f4abd9892f907b0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2759f020efebbab229dc0b638ebca3746158d6bdc0605f89042239d299e2e8f1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F712A476A81235ABDF239B55CD46FAB7AB8AB01710F010295FD08BF6C1E6749D40CBE1
                                                                                                                                                                                                  Function 003A7195 Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 228filepipesleepCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 815 3a7195-3a71d8 lstrlenW GetCurrentProcessId 816 3a71db-3a71e2 815->816 817 3a746b-3a7471 816->817 818 3a71e8-3a7200 SetNamedPipeHandleState 816->818 819 3a7206 818->819 820 3a7434-3a743a GetLastError 818->820 823 3a720a-3a7215 ConnectNamedPipe 819->823 821 3a743c-3a7445 820->821 822 3a7447 820->822 821->822 824 3a7449 822->824 825 3a744e-3a745e call 3913b3 822->825 826 3a7252-3a7258 823->826 827 3a7217-3a7221 GetLastError 823->827 824->825 837 3a7463-3a746a call 3d53e7 825->837 826->823 831 3a725a 826->831 829 3a7310-3a7312 827->829 830 3a7227-3a722d 827->830 833 3a7262-3a7277 SetNamedPipeHandleState 829->833 834 3a72fa-3a72fc 830->834 835 3a7233-3a723b 830->835 836 3a725c 831->836 842 3a727d-3a7292 WriteFile 833->842 843 3a7403-3a7409 GetLastError 833->843 834->836 838 3a7302-3a730b 834->838 839 3a7241-3a724c Sleep 835->839 840 3a7317 835->840 836->833 841 3a731c-3a7331 call 3913b3 836->841 837->817 838->831 839->826 840->841 841->837 844 3a7298-3a72ad WriteFile 842->844 845 3a73d2-3a73d8 GetLastError 842->845 847 3a740b-3a7414 843->847 848 3a7416 843->848 850 3a739e-3a73a4 GetLastError 844->850 851 3a72b3-3a72c8 WriteFile 844->851 852 3a73da-3a73e3 845->852 853 3a73e5 845->853 847->848 855 3a7418 848->855 856 3a741d-3a7432 call 3913b3 848->856 862 3a73b1 850->862 863 3a73a6-3a73af 850->863 858 3a736a-3a7370 GetLastError 851->858 859 3a72ce-3a72e3 ReadFile 851->859 852->853 860 3a73ec-3a7401 call 3913b3 853->860 861 3a73e7 853->861 855->856 856->837 867 3a737d 858->867 868 3a7372-3a737b 858->868 865 3a7336-3a733c GetLastError 859->865 866 3a72e5-3a72ef 859->866 860->837 861->860 870 3a73b8-3a73cd call 3913b3 862->870 871 3a73b3 862->871 863->862 877 3a7349 865->877 878 3a733e-3a7347 865->878 866->816 873 3a72f5 866->873 874 3a737f 867->874 875 3a7384-3a7399 call 3913b3 867->875 868->867 870->837 871->870 873->817 874->875 875->837 882 3a734b 877->882 883 3a7350-3a7365 call 3913b3 877->883 878->877 882->883 883->837
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,00000000,?,?,00000000,753DB390,?,00396205,?,003DE500), ref: 003A71B6
                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,00396205,?,003DE500), ref: 003A71C1
                                                                                                                                                                                                  • SetNamedPipeHandleState.KERNELBASE(?,000000FF,00000000,00000000,?,00396205,?,003DE500), ref: 003A71F8
                                                                                                                                                                                                  • ConnectNamedPipe.KERNELBASE(?,00000000,?,00396205,?,003DE500), ref: 003A720D
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00396205,?,003DE500), ref: 003A7217
                                                                                                                                                                                                  • Sleep.KERNELBASE(00000064,?,00396205,?,003DE500), ref: 003A724C
                                                                                                                                                                                                  • SetNamedPipeHandleState.KERNELBASE(?,00000000,00000000,00000000,?,00396205,?,003DE500), ref: 003A726F
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,00396205,?,003DE500), ref: 003A728A
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,00396205,003DE500,00000000,00000000,?,00396205,?,003DE500), ref: 003A72A5
                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,00396205,?,003DE500), ref: 003A72C0
                                                                                                                                                                                                  • ReadFile.KERNELBASE(?,00000000,00000004,00000000,00000000,?,00396205,?,003DE500), ref: 003A72DB
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00396205,?,003DE500), ref: 003A7336
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00396205,?,003DE500), ref: 003A736A
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00396205,?,003DE500), ref: 003A739E
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00396205,?,003DE500), ref: 003A73D2
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00396205,?,003DE500), ref: 003A7403
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00396205,?,003DE500), ref: 003A7434
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
                                                                                                                                                                                                  • String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp$crypt32.dll
                                                                                                                                                                                                  • API String ID: 2944378912-1623437160
                                                                                                                                                                                                  • Opcode ID: abf3a2044519d34bf86c3f8364a3575287c3e5cf4be0957702f543c551a9ed1c
                                                                                                                                                                                                  • Instruction ID: 995179cbfd6b71ef6c3b617af3eb5163974b2516a3d17e3f3e3c5e64cba0b8c7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: abf3a2044519d34bf86c3f8364a3575287c3e5cf4be0957702f543c551a9ed1c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BF61EA77E852366BDB2296A69C85BAEBAACEF05710F120525FD00FF1C0E774DD0186E0
                                                                                                                                                                                                  Function 00397430 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 477stringCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 887 397430-397477 EnterCriticalSection lstrlenW call 3929b4 890 39747d-39748a call 3d53e7 887->890 891 397661-39766f call 3c1b14 887->891 898 397904-397912 LeaveCriticalSection 890->898 896 39748f-3974a1 call 3c1b14 891->896 897 397675-397692 call 39a093 891->897 896->897 915 3974a7-3974b3 896->915 909 397698-39769c call 3d46b7 897->909 910 3974db 897->910 901 39794b-397950 898->901 902 397914-397918 898->902 904 397958-39795c 901->904 905 397952-397953 call 3d4696 901->905 907 39791a 902->907 908 397945-397946 call 3951ae 902->908 913 39797c-39798f call 393251 * 3 904->913 914 39795e-397962 904->914 905->904 916 39791c-397920 907->916 908->901 931 3976a1-3976a8 909->931 917 3974e0 910->917 937 397994-39799a 913->937 920 39796c-397970 914->920 921 397964-397967 call 393136 914->921 922 3974ed-3974ef 915->922 923 3974b5-3974d5 call 39a093 915->923 924 397932-397935 call 393251 916->924 925 397922-397926 916->925 926 3974e1-3974e8 call 3d53e7 917->926 936 397972-39797a call 393136 920->936 920->937 921->920 929 3974f1-397512 call 39a093 922->929 930 397517-397538 call 39a0d6 922->930 923->910 956 39765b-39765e 923->956 935 39793a-39793d 924->935 934 397928-397930 call 393136 925->934 925->935 957 397901 926->957 929->910 959 397514 929->959 961 397749-39774e 930->961 962 39753e-397550 930->962 943 3976ae-3976cd call 3913b3 931->943 944 397753-397761 call 3d46c7 931->944 934->935 935->916 940 39793f-397942 935->940 936->937 940->908 966 3976ee-3976ef 943->966 964 39779b-3977a2 944->964 965 397763 944->965 956->891 957->898 959->930 961->917 967 397552-39755a call 395286 962->967 968 397567-397573 call 3950e9 962->968 972 3977c8-3977e3 call 3d46d7 964->972 973 3977a4-3977ad 964->973 969 397769-39776c 965->969 970 397765-397767 965->970 966->926 981 3976cf-3976e9 call 3913b3 967->981 982 397560-397565 967->982 986 397579-39757d 968->986 987 397728-397747 call 3913b3 968->987 976 397772-397777 969->976 970->976 989 397859-39785d 972->989 990 3977e5-3977e7 972->990 978 3977af-3977be call 3d46c7 973->978 979 3977c2-3977c6 973->979 984 397779-39777e 976->984 985 397781-397796 call 3913b3 976->985 1005 3977ef 978->1005 1006 3977c0 978->1006 979->972 979->973 981->966 982->986 984->985 985->917 991 39757f-397586 986->991 992 3975a5-3975a9 986->992 987->966 998 397863-39787c call 39a074 989->998 999 3978f5-3978fa 989->999 990->989 997 3977e9 990->997 991->992 1000 397588-3975a3 call 39a0d6 991->1000 1002 3975ab-3975c1 call 399c78 992->1002 1003 3975c7-3975d1 992->1003 1008 3977eb-3977ed 997->1008 1009 397827-39782a 997->1009 1027 397888-39789f call 3d46d7 998->1027 1028 39787e-397883 998->1028 999->957 1013 3978fc-3978ff 999->1013 1031 397612-397614 1000->1031 1002->1003 1032 3976f4-397705 call 3d53e7 1002->1032 1016 3975e3-3975ea call 39902c 1003->1016 1017 3975d3-3975e1 call 392c72 1003->1017 1011 3977f1-3977f3 1005->1011 1012 3977f5-3977f8 1005->1012 1006->979 1019 397830-397835 1008->1019 1009->1019 1021 3977fe-397803 1011->1021 1012->1021 1013->957 1026 3975ef-3975fa 1016->1026 1035 39760a-39760c 1017->1035 1033 39783f-397854 call 3913b3 1019->1033 1034 397837-39783c 1019->1034 1029 39780d-397822 call 3913b3 1021->1029 1030 397805-39780a 1021->1030 1038 3975fc-397605 call 392dc7 1026->1038 1039 39760f 1026->1039 1050 3978a1 1027->1050 1051 3978d5-3978e9 call 39a0d6 1027->1051 1028->917 1029->917 1030->1029 1041 39761a-397638 call 39a0b5 1031->1041 1042 39771e 1031->1042 1032->957 1033->917 1034->1033 1035->1039 1038->1035 1039->1031 1056 39763e-397655 call 39a093 1041->1056 1057 397714 1041->1057 1042->987 1054 3978b1 1050->1054 1055 3978a3-3978af 1050->1055 1051->999 1063 3978eb-3978f0 1051->1063 1060 3978bb-3978d0 call 3913b3 1054->1060 1061 3978b3-3978b8 1054->1061 1055->1054 1056->956 1066 39770a 1056->1066 1057->1042 1060->917 1061->1060 1063->917 1066->1057
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000100,00000000,?,0039C5C6,00000100,000002C0,000002C0,00000100), ref: 00397455
                                                                                                                                                                                                  • lstrlenW.KERNEL32(000002C0,?,0039C5C6,00000100,000002C0,000002C0,00000100), ref: 0039745F
                                                                                                                                                                                                  • _wcschr.LIBVCRUNTIME ref: 00397664
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,0039C5C6,00000100,000002C0,000002C0,00000100), ref: 00397907
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave_wcschrlstrlen
                                                                                                                                                                                                  • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp
                                                                                                                                                                                                  • API String ID: 1026845265-424859304
                                                                                                                                                                                                  • Opcode ID: 358d43f98a4c57aeba86e3a46d4abdb81f8e73eb590831ba8e227013bd75a616
                                                                                                                                                                                                  • Instruction ID: 29164f65c77fe5c837ab947d9a326944e58acbb6f2e2cfc5772bede0b2b6c4ba
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 358d43f98a4c57aeba86e3a46d4abdb81f8e73eb590831ba8e227013bd75a616
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BDF1B572D14229ABDF139FA58841ABF7BB8EF44750F15852AFD05AB280D7749E40CFA0
                                                                                                                                                                                                  Function 003A916B Relevance: 38.8, APIs: 1, Strings: 21, Instructions: 290COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1215 3a916b-3a91b0 call 3c0ec0 call 399322 1220 3a91bc-3a91cd call 39e107 1215->1220 1221 3a91b2-3a91b7 1215->1221 1227 3a91d9-3a91ea call 39df6e 1220->1227 1228 3a91cf-3a91d4 1220->1228 1222 3a9455-3a945c call 3d53e7 1221->1222 1230 3a945d-3a9462 1222->1230 1236 3a91ec-3a91f1 1227->1236 1237 3a91f6-3a920b call 39e1c6 1227->1237 1228->1222 1232 3a946a-3a946e 1230->1232 1233 3a9464-3a9465 call 393136 1230->1233 1234 3a9478-3a947d 1232->1234 1235 3a9470-3a9473 call 393136 1232->1235 1233->1232 1240 3a947f-3a9480 call 393136 1234->1240 1241 3a9485-3a9492 call 39debd 1234->1241 1235->1234 1236->1222 1247 3a920d-3a9212 1237->1247 1248 3a9217-3a9227 call 3bdb17 1237->1248 1240->1241 1249 3a949c-3a94a0 1241->1249 1250 3a9494-3a9497 call 393136 1241->1250 1247->1222 1256 3a9229-3a922e 1248->1256 1257 3a9233-3a92a6 call 3a78e6 1248->1257 1254 3a94aa-3a94ae 1249->1254 1255 3a94a2-3a94a5 call 393136 1249->1255 1250->1249 1259 3a94b8-3a94be 1254->1259 1260 3a94b0-3a94b3 call 3951ae 1254->1260 1255->1254 1256->1222 1264 3a92a8-3a92ad 1257->1264 1265 3a92b2-3a92b7 1257->1265 1260->1259 1264->1222 1266 3a92b9 1265->1266 1267 3a92be-3a92f5 call 3972c6 GetCurrentProcess call 3d5a1f call 399fb1 1265->1267 1266->1267 1274 3a930f-3a9326 call 399fb1 1267->1274 1275 3a92f7 1267->1275 1280 3a9328-3a932d 1274->1280 1281 3a932f-3a9334 1274->1281 1276 3a92fc-3a930a call 3d53e7 1275->1276 1276->1230 1280->1276 1283 3a9390-3a9395 1281->1283 1284 3a9336-3a9348 call 399f57 1281->1284 1286 3a9397-3a93a9 call 399f57 1283->1286 1287 3a93b5-3a93be 1283->1287 1293 3a934a-3a934f 1284->1293 1294 3a9354-3a9364 call 394ea9 1284->1294 1286->1287 1297 3a93ab-3a93b0 1286->1297 1290 3a93ca-3a93de call 3ac20f 1287->1290 1291 3a93c0-3a93c3 1287->1291 1302 3a93e0-3a93e5 1290->1302 1303 3a93e7 1290->1303 1291->1290 1295 3a93c5-3a93c8 1291->1295 1293->1222 1306 3a9370-3a9384 call 399f57 1294->1306 1307 3a9366-3a936b 1294->1307 1295->1290 1298 3a93ed-3a93f0 1295->1298 1297->1222 1304 3a93f2-3a93f5 1298->1304 1305 3a93f7-3a940d call 39f289 1298->1305 1302->1222 1303->1298 1304->1230 1304->1305 1311 3a940f-3a9414 1305->1311 1312 3a9416-3a9425 call 39e8bf 1305->1312 1306->1283 1315 3a9386-3a938b 1306->1315 1307->1222 1311->1222 1316 3a942a-3a942e 1312->1316 1315->1222 1317 3a9430-3a9435 1316->1317 1318 3a9437-3a944e call 39e5e2 1316->1318 1317->1222 1318->1230 1321 3a9450 1318->1321 1321->1222
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to set source process folder variable., xrefs: 003A9386
                                                                                                                                                                                                  • Failed to get manifest stream from container., xrefs: 003A920D
                                                                                                                                                                                                  • Failed to set source process path variable., xrefs: 003A934A
                                                                                                                                                                                                  • Failed to get source process folder from path., xrefs: 003A9366
                                                                                                                                                                                                  • WixBundleOriginalSource, xrefs: 003A939A
                                                                                                                                                                                                  • Failed to open manifest stream., xrefs: 003A91EC
                                                                                                                                                                                                  • WixBundleElevated, xrefs: 003A92E6, 003A92F7
                                                                                                                                                                                                  • WixBundleSourceProcessFolder, xrefs: 003A9375
                                                                                                                                                                                                  • Failed to load manifest., xrefs: 003A9229
                                                                                                                                                                                                  • Failed to overwrite the %ls built-in variable., xrefs: 003A92FC
                                                                                                                                                                                                  • Failed to get unique temporary folder for bootstrapper application., xrefs: 003A940F
                                                                                                                                                                                                  • Failed to load catalog files., xrefs: 003A9450
                                                                                                                                                                                                  • WixBundleSourceProcessPath, xrefs: 003A9339
                                                                                                                                                                                                  • Failed to parse command line., xrefs: 003A92A8
                                                                                                                                                                                                  • WixBundleUILevel, xrefs: 003A9317, 003A9328
                                                                                                                                                                                                  • Failed to initialize variables., xrefs: 003A91B2
                                                                                                                                                                                                  • Failed to open attached UX container., xrefs: 003A91CF
                                                                                                                                                                                                  • Failed to extract bootstrapper application payloads., xrefs: 003A9430
                                                                                                                                                                                                  • Failed to set original source variable., xrefs: 003A93AB
                                                                                                                                                                                                  • h=, xrefs: 003A92B9
                                                                                                                                                                                                  • Failed to initialize internal cache functionality., xrefs: 003A93E0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalInitializeSection
                                                                                                                                                                                                  • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel$h=
                                                                                                                                                                                                  • API String ID: 32694325-335029745
                                                                                                                                                                                                  • Opcode ID: a94f4a6d9f7748ae87fdd564b5dd0a34b97b42dcf278cfaf2271ef07d67a5328
                                                                                                                                                                                                  • Instruction ID: 856e1ca119876550db301c9c111cd168d8777afa6b55925a820a7480e356564b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a94f4a6d9f7748ae87fdd564b5dd0a34b97b42dcf278cfaf2271ef07d67a5328
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62A15076E4066ABADF13DAA5CC81FEAB7ACAB05700F050227F519FA181DB74E9448790
                                                                                                                                                                                                  Function 00399322 Relevance: 36.4, APIs: 1, Strings: 23, Instructions: 430COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1427 399322-399c1d InitializeCriticalSection 1428 399c20-399c44 call 3972e7 1427->1428 1431 399c51-399c62 call 3d53e7 1428->1431 1432 399c46-399c4d 1428->1432 1435 399c65-399c75 call 3c0093 1431->1435 1432->1428 1433 399c4f 1432->1433 1433->1435
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • InitializeCriticalSection.KERNEL32(003A91AC,00397083,00000000,0039710B), ref: 00399342
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalInitializeSection
                                                                                                                                                                                                  • String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion$h=
                                                                                                                                                                                                  • API String ID: 32694325-1038389110
                                                                                                                                                                                                  • Opcode ID: 79d00621c340d464880ee39996156d7507f8badb31b87d0f5faca9341a58d762
                                                                                                                                                                                                  • Instruction ID: 52b664aaa68b6e1170be6ddb2702ac47ebd4a2d6666bc78d9e8bcdc416171e1e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 79d00621c340d464880ee39996156d7507f8badb31b87d0f5faca9341a58d762
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AC4267B5C156299FDB62CF5AD9883CDFAB4BB49304F9081EED10DAA310C7B04B888F45
                                                                                                                                                                                                  Function 003AA32E Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 208fileCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 1439 3aa32e-3aa37c CreateFileW 1440 3aa37e-3aa388 GetLastError 1439->1440 1441 3aa3c2-3aa3d2 call 393fe8 1439->1441 1442 3aa38a-3aa393 1440->1442 1443 3aa395 1440->1443 1449 3aa3ea-3aa3f5 call 3935c3 1441->1449 1450 3aa3d4-3aa3e5 call 3d53e7 1441->1450 1442->1443 1445 3aa39c-3aa3bd call 3913b3 call 3d53e7 1443->1445 1446 3aa397 1443->1446 1461 3aa566-3aa576 call 3c0093 1445->1461 1446->1445 1454 3aa3fa-3aa3fe 1449->1454 1457 3aa55f-3aa560 CloseHandle 1450->1457 1458 3aa419-3aa41e 1454->1458 1459 3aa400-3aa414 call 3d53e7 1454->1459 1457->1461 1458->1457 1463 3aa424-3aa433 SetFilePointerEx 1458->1463 1459->1457 1466 3aa46d-3aa47d call 39450a 1463->1466 1467 3aa435-3aa43f GetLastError 1463->1467 1475 3aa489-3aa49a SetFilePointerEx 1466->1475 1476 3aa47f-3aa484 1466->1476 1470 3aa44c 1467->1470 1471 3aa441-3aa44a 1467->1471 1473 3aa44e 1470->1473 1474 3aa453-3aa468 call 3913b3 1470->1474 1471->1470 1473->1474 1478 3aa557-3aa55e call 3d53e7 1474->1478 1479 3aa49c-3aa4a6 GetLastError 1475->1479 1480 3aa4d4-3aa4e4 call 39450a 1475->1480 1476->1478 1478->1457 1482 3aa4a8-3aa4b1 1479->1482 1483 3aa4b3 1479->1483 1480->1476 1491 3aa4e6-3aa4f6 call 39450a 1480->1491 1482->1483 1486 3aa4ba-3aa4cf call 3913b3 1483->1486 1487 3aa4b5 1483->1487 1486->1478 1487->1486 1491->1476 1495 3aa4f8-3aa509 SetFilePointerEx 1491->1495 1496 3aa50b-3aa515 GetLastError 1495->1496 1497 3aa540-3aa550 call 39450a 1495->1497 1498 3aa522 1496->1498 1499 3aa517-3aa520 1496->1499 1497->1457 1505 3aa552 1497->1505 1501 3aa529-3aa53e call 3913b3 1498->1501 1502 3aa524 1498->1502 1499->1498 1501->1478 1502->1501 1505->1478
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00396A86,?,?,00000000,00396A86,00000000), ref: 003AA371
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 003AA37E
                                                                                                                                                                                                    • Part of subcall function 003935C3: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00393659
                                                                                                                                                                                                  • SetFilePointerEx.KERNEL32(00000000,003DE4B8,00000000,00000000,00000000,?,00000000,003DE500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003AA42B
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 003AA435
                                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,00000000,003DE500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003AA560
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 003AA3A2, 003AA459, 003AA4C0, 003AA52F
                                                                                                                                                                                                  • cabinet.dll, xrefs: 003AA4D9
                                                                                                                                                                                                  • Failed to create engine file at path: %ls, xrefs: 003AA3AF
                                                                                                                                                                                                  • Failed to seek to original data in exe burn section header., xrefs: 003AA539
                                                                                                                                                                                                  • Failed to seek to signature table in exe header., xrefs: 003AA4CA
                                                                                                                                                                                                  • Failed to update signature offset., xrefs: 003AA47F
                                                                                                                                                                                                  • Failed to zero out original data offset., xrefs: 003AA552
                                                                                                                                                                                                  • Failed to seek to beginning of engine file: %ls, xrefs: 003AA3D7
                                                                                                                                                                                                  • Failed to copy engine from: %ls to: %ls, xrefs: 003AA406
                                                                                                                                                                                                  • msi.dll, xrefs: 003AA472
                                                                                                                                                                                                  • Failed to seek to checksum in exe header., xrefs: 003AA463
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: File$ErrorLast$CloseCreateHandlePointerRead
                                                                                                                                                                                                  • String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp$cabinet.dll$msi.dll
                                                                                                                                                                                                  • API String ID: 3456208997-1085769834
                                                                                                                                                                                                  • Opcode ID: 0e2d7f697ace88b7b5d6c94796c12a275108da883a27c2ae65e7be9a2a31a6ec
                                                                                                                                                                                                  • Instruction ID: 84942d972cf875a8328e144637589e8a5bc9f624f3ee32417d9052227af2ea01
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0e2d7f697ace88b7b5d6c94796c12a275108da883a27c2ae65e7be9a2a31a6ec
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4351B577E41A367BDB136AA59C46F7F2768DB06B10F020215FE00BE281E764DD0086E6
                                                                                                                                                                                                  Function 003B566F Relevance: 28.6, APIs: 1, Strings: 15, Instructions: 577COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: lstrlen
                                                                                                                                                                                                  • String ID: Failed to convert version: %ls to DWORD64 for ProductCode: %ls$Failed to copy the installed ProductCode to the package.$Failed to enum related products.$Failed to get product information for ProductCode: %ls$Failed to get version for product in machine context: %ls$Failed to get version for product in user unmanaged context: %ls$Failed to query feature state.$Invalid state value.$Language$UX aborted detect compatible MSI package.$UX aborted detect related MSI package.$UX aborted detect.$VersionString$c:\agent\_work\36\s\wix\src\burn\engine\msiengine.cpp$msasn1.dll
                                                                                                                                                                                                  • API String ID: 1659193697-4140814266
                                                                                                                                                                                                  • Opcode ID: 4c366c5baddf1cf708b17f3bd33a791978573f4136e10ddefbab24f7b6bd7aab
                                                                                                                                                                                                  • Instruction ID: 7eb8c632169cccc4189e57684709b7fef25a1fb916af70a3986a4d39e86cd1d6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c366c5baddf1cf708b17f3bd33a791978573f4136e10ddefbab24f7b6bd7aab
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42229971A00A28EFDF22DFA4C885FEEBBB9BB44304F144269EA05AF655D7719940CB50
                                                                                                                                                                                                  Function 003B0436 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 134registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • TlsSetValue.KERNEL32(?,?), ref: 003B047C
                                                                                                                                                                                                  • RegisterClassW.USER32(?), ref: 003B04A8
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 003B04B3
                                                                                                                                                                                                  • CreateWindowExW.USER32(00000080,003ED4EC,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 003B051A
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 003B0524
                                                                                                                                                                                                  • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 003B05C2
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
                                                                                                                                                                                                  • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$c:\agent\_work\36\s\wix\src\burn\engine\uithread.cpp
                                                                                                                                                                                                  • API String ID: 213125376-1648313654
                                                                                                                                                                                                  • Opcode ID: b27acf0c49257c734e51cef52a1901eab41971be86fab325705918d5178e6e86
                                                                                                                                                                                                  • Instruction ID: eb17dabb8838c7263c75aea800d951c8afc40b0423c85a64d38879041a420745
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b27acf0c49257c734e51cef52a1901eab41971be86fab325705918d5178e6e86
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA41E576901224BBDB269BA5DC48ADFBFB8FF05714F114126FA05BB590DB30E9008FA0
                                                                                                                                                                                                  Function 003D76B2 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 152libraryloadercomCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,003D7C60,00000000,?,00000000), ref: 003D76CC
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,003BDB3B,?,003970CB,?,00000000,?), ref: 003D76D8
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 003D7718
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003D7724
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 003D772F
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003D7739
                                                                                                                                                                                                  • CoCreateInstance.OLE32(003FF7E4,00000000,00000001,003DE9F0,?,?,?,?,?,?,?,?,?,?,?,003BDB3B), ref: 003D7774
                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 003D7823
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • IsWow64Process, xrefs: 003D7712
                                                                                                                                                                                                  • =, xrefs: 003D778E
                                                                                                                                                                                                  • Wow64RevertWow64FsRedirection, xrefs: 003D7731
                                                                                                                                                                                                  • kernel32.dll, xrefs: 003D76BC
                                                                                                                                                                                                  • Wow64EnableWow64FsRedirection, xrefs: 003D7726
                                                                                                                                                                                                  • Wow64DisableWow64FsRedirection, xrefs: 003D771E
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp, xrefs: 003D76FC
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                                                                                                                                                                                                  • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp$kernel32.dll$=
                                                                                                                                                                                                  • API String ID: 2124981135-2441071610
                                                                                                                                                                                                  • Opcode ID: e5fbd50a4c2ca1a24f171480bf314696a29fb650d16d98e0c3d897a96d350232
                                                                                                                                                                                                  • Instruction ID: 7f57e462cf4fe5259c0f4c90f8604e8d7dcc67af6e6c86548c2f0c711358786e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e5fbd50a4c2ca1a24f171480bf314696a29fb650d16d98e0c3d897a96d350232
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7541A636A05215ABDB239BA8D845FBEBBA4EF04750F12446BE905EB350E775DD00CB90
                                                                                                                                                                                                  Function 003D715D Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 78libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 003913CA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00391409
                                                                                                                                                                                                    • Part of subcall function 003913CA: GetLastError.KERNEL32(?,?), ref: 00391413
                                                                                                                                                                                                    • Part of subcall function 00394143: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00394174
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 003D71A7
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 003D71C7
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 003D71E7
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 003D7207
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 003D7227
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 003D7247
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 003D7267
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressProc$ErrorLast$DirectorySystem
                                                                                                                                                                                                  • String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
                                                                                                                                                                                                  • API String ID: 2510051996-1735120554
                                                                                                                                                                                                  • Opcode ID: 0e5ef4048bf3a3fd0d469f50ff757c48eadf50007e52d1ef4fc76f1307ef1095
                                                                                                                                                                                                  • Instruction ID: 56bb05bc6ebe5896ddc1e8bab9fdbb0631e04a5dbdca599d2eddfeb49f3e6ad5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0e5ef4048bf3a3fd0d469f50ff757c48eadf50007e52d1ef4fc76f1307ef1095
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1231E5B2A44609AEDB13BF61EC51B79FAE8EF01785F01053AEA0496374E376184ADF44
                                                                                                                                                                                                  Function 003B330D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 106COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,0000001C,?,00000000,00000000,00000000,00000000,?,0039E0EB,00000000,003BC8A1,?,003BC8A1), ref: 003B3344
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,0039E0EB,00000000,003BC8A1,?,003BC8A1), ref: 003B334D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 003B3371, 003B33B7, 003B3403
                                                                                                                                                                                                  • Failed to create extraction thread., xrefs: 003B340D
                                                                                                                                                                                                  • Failed to copy file name., xrefs: 003B332F
                                                                                                                                                                                                  • Failed to wait for operation complete., xrefs: 003B3420
                                                                                                                                                                                                  • Failed to create operation complete event., xrefs: 003B33C1
                                                                                                                                                                                                  • Failed to create begin operation event., xrefs: 003B337B
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CreateErrorEventLast
                                                                                                                                                                                                  • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 545576003-2932755866
                                                                                                                                                                                                  • Opcode ID: 81e9ecb32d931e8e5a1f0e4b768a5df4657c1288286e58a56f2f8cbee2df8489
                                                                                                                                                                                                  • Instruction ID: d6b583a479873a1fcac0c5a8d73bbb8489917390810c54e4f144ddf47dcf7494
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 81e9ecb32d931e8e5a1f0e4b768a5df4657c1288286e58a56f2f8cbee2df8489
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1821EA77E8173677E22356579C45FEB699CAB00BA4F024216FE44BFA80EA60DD0045F1
                                                                                                                                                                                                  Function 003B249B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 105fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 003B24CB
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 003B24E3
                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 003B24E8
                                                                                                                                                                                                  • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 003B24EB
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?), ref: 003B24F5
                                                                                                                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 003B2564
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?), ref: 003B2571
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to open cabinet file: %hs, xrefs: 003B25A2
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 003B2519, 003B2595
                                                                                                                                                                                                  • Failed to duplicate handle to cab container., xrefs: 003B2523
                                                                                                                                                                                                  • Failed to add virtual file pointer for cab container., xrefs: 003B254A
                                                                                                                                                                                                  • <the>.cab, xrefs: 003B24C4
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
                                                                                                                                                                                                  • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 3030546534-2422751550
                                                                                                                                                                                                  • Opcode ID: 38d7da1298373901e8c79eeab15e4d368d72e45784eb7967e9d2d39146b95575
                                                                                                                                                                                                  • Instruction ID: 5b736d84fddbb7e8093653525ed14f35b2ccf87080741a1992c2f35c60354fa6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 38d7da1298373901e8c79eeab15e4d368d72e45784eb7967e9d2d39146b95575
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C831A17694153ABBDB236B569C49FDBBF6CEF05764F110212FE04BB690D660AD008AE0
                                                                                                                                                                                                  Function 003B06F8 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100threadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00397154,?,?), ref: 003B0718
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00397154,?,?), ref: 003B0725
                                                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_00020436,?,00000000,00000000), ref: 003B077E
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00397154,?,?), ref: 003B078B
                                                                                                                                                                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,00397154,?,?), ref: 003B07C6
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00397154,?,?), ref: 003B07E5
                                                                                                                                                                                                  • CloseHandle.KERNELBASE(?,?,00397154,?,?), ref: 003B07F2
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to create the UI thread., xrefs: 003B07B6
                                                                                                                                                                                                  • Failed to create initialization event., xrefs: 003B0750
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\uithread.cpp, xrefs: 003B0746, 003B07AC
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                                                                                                                                                                                                  • String ID: Failed to create initialization event.$Failed to create the UI thread.$c:\agent\_work\36\s\wix\src\burn\engine\uithread.cpp
                                                                                                                                                                                                  • API String ID: 2351989216-3815837529
                                                                                                                                                                                                  • Opcode ID: f6844fbb678932a96188814bd2df053c1be91b38234ee63d34c64b273a3dcab8
                                                                                                                                                                                                  • Instruction ID: fa79ac6d6e1b8b14b31a4385e320efdaeb75ac74580152dbf8507a0abcebbc04
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f6844fbb678932a96188814bd2df053c1be91b38234ee63d34c64b273a3dcab8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C831CD76D01229BBD7129F999D85ADFFBBCBF04354F114126FA04F7280EA30AE008E90
                                                                                                                                                                                                  Function 003B30B0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 87threadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,76F92F60,?,00000000), ref: 003B30D4
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 003B30E7
                                                                                                                                                                                                  • GetExitCodeThread.KERNELBASE(?,00000000), ref: 003B3129
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 003B3137
                                                                                                                                                                                                  • ResetEvent.KERNEL32(?), ref: 003B3172
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 003B317C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 003B310E, 003B315E, 003B31A3
                                                                                                                                                                                                  • Failed to get extraction thread exit code., xrefs: 003B3168
                                                                                                                                                                                                  • Failed to reset operation complete event., xrefs: 003B31AD
                                                                                                                                                                                                  • Failed to wait for operation complete event., xrefs: 003B3118
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
                                                                                                                                                                                                  • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 2979751695-296692858
                                                                                                                                                                                                  • Opcode ID: ade0e7e3d5db8484443bcf17f518193f95568ec6311f6222f2a8c7548e5e6981
                                                                                                                                                                                                  • Instruction ID: ded01f4bea630e16b8c692615842ef3cdd108b94bc69840465eb7a28a2160d4d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ade0e7e3d5db8484443bcf17f518193f95568ec6311f6222f2a8c7548e5e6981
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89318470B40226EBE712FF6ADD057EA7BFCAB00705F10451AFA05EA590E674DB009B21
                                                                                                                                                                                                  Function 003BD04D Relevance: 16.3, APIs: 2, Strings: 7, Instructions: 552COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: ($Failed to set syncpoint event.$UX aborted cache.$begin cache package$c:\agent\_work\36\s\wix\src\burn\engine\apply.cpp$end cache package$layout bundle
                                                                                                                                                                                                  • API String ID: 0-2306250508
                                                                                                                                                                                                  • Opcode ID: 6623b20c1e2ad12efce2f72e1da244ce7ec955dde07054e0784ccf3d2b09d4b6
                                                                                                                                                                                                  • Instruction ID: 1c1341ad3cf82d698d6d689f54f6daf222c008b1b76bf99256bfa37162245fbb
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6623b20c1e2ad12efce2f72e1da244ce7ec955dde07054e0784ccf3d2b09d4b6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8722397290061AFFCF16DF94C840EAEBBB6FF48714F218155FA14ABA10D731A961DB90
                                                                                                                                                                                                  Function 00396468 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 127windowthreadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 0039648D
                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00396493
                                                                                                                                                                                                  • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00396521
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Unexpected return value from message pump., xrefs: 00396577
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp, xrefs: 0039656D
                                                                                                                                                                                                  • wininet.dll, xrefs: 003964C0
                                                                                                                                                                                                  • Failed to load UX., xrefs: 003964D6
                                                                                                                                                                                                  • Failed to create engine for UX., xrefs: 003964AD
                                                                                                                                                                                                  • Failed to start bootstrapper application., xrefs: 003964EF
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Message$CurrentPeekThread
                                                                                                                                                                                                  • String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp$wininet.dll
                                                                                                                                                                                                  • API String ID: 673430819-4069925003
                                                                                                                                                                                                  • Opcode ID: e40c950e0256bbfb5e96b63e8267701903ff3de35b9a0dff0bb612cf3bd9bc22
                                                                                                                                                                                                  • Instruction ID: b5e2ccd06dffe8eea3c04d30c5d1a4c0e2c2f75a4f006462c18041d51b7f5a67
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e40c950e0256bbfb5e96b63e8267701903ff3de35b9a0dff0bb612cf3bd9bc22
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E41A572601615BFDF16ABA4DC86EBA77ACEF05314F110526F905EB280DB30ED4487A1
                                                                                                                                                                                                  Function 0039F3B0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,003964D0,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00397154,?), ref: 0039F3C1
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,003964D0,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00397154,?,?), ref: 0039F3CE
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 0039F406
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,003964D0,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00397154,?,?), ref: 0039F412
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • BootstrapperApplicationCreate, xrefs: 0039F400
                                                                                                                                                                                                  • Failed to load UX DLL., xrefs: 0039F3F9
                                                                                                                                                                                                  • Failed to get BootstrapperApplicationCreate entry-point, xrefs: 0039F43D
                                                                                                                                                                                                  • Failed to create UX., xrefs: 0039F456
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\userexperience.cpp, xrefs: 0039F3EF, 0039F433
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$AddressLibraryLoadProc
                                                                                                                                                                                                  • String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$c:\agent\_work\36\s\wix\src\burn\engine\userexperience.cpp
                                                                                                                                                                                                  • API String ID: 1866314245-3484973401
                                                                                                                                                                                                  • Opcode ID: 94aef1487c4d2dcf93069a620dcf8f6ffb21a172ba48b35e0034847f81d8baaa
                                                                                                                                                                                                  • Instruction ID: 976423a0fbaf7f80bbb164f01768e2bba7b9f06d6a62fb2dca8a6ec8b7f991b2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 94aef1487c4d2dcf93069a620dcf8f6ffb21a172ba48b35e0034847f81d8baaa
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0011AB3BA817366BCB236697AC49FAB6B985F04751F024226FD40FF2C0DA64DD004BD1
                                                                                                                                                                                                  Function 003A65F1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 116fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ReadFile.KERNELBASE(00000000,?,00000008,?,00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000001,00000000), ref: 003A661C
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 003A6629
                                                                                                                                                                                                  • ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,?,00000000), ref: 003A66D4
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 003A66DE
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastRead
                                                                                                                                                                                                  • String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp
                                                                                                                                                                                                  • API String ID: 1948546556-460803975
                                                                                                                                                                                                  • Opcode ID: dee509eace172a1df585ba33a92e620b65e9f41001093e2af43332527f956860
                                                                                                                                                                                                  • Instruction ID: 92f9fdaa894e251644363ceafd2c78451447b27252f33660d512bfcb7e521b00
                                                                                                                                                                                                  • Opcode Fuzzy Hash: dee509eace172a1df585ba33a92e620b65e9f41001093e2af43332527f956860
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8311872A40239BBDB239B65DD46BAAFB6CEB05715F158226FC40FA190D7749D008BD0
                                                                                                                                                                                                  Function 003A14EC Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 003A161C
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 003A1629
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to format pending restart registry key to read., xrefs: 003A1520
                                                                                                                                                                                                  • %ls.RebootRequired, xrefs: 003A1509
                                                                                                                                                                                                  • Resume, xrefs: 003A1590
                                                                                                                                                                                                  • Failed to open registration key., xrefs: 003A1585
                                                                                                                                                                                                  • Failed to read Resume value., xrefs: 003A15B2
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                                  • String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
                                                                                                                                                                                                  • API String ID: 3535843008-3890505273
                                                                                                                                                                                                  • Opcode ID: 09867f7889eeb3fa7eea442a5f0aba5eea97be4c8777c72d2e854bef5aa2d994
                                                                                                                                                                                                  • Instruction ID: b53b2e1fabd3521b1f00bc1146f1fad9919bdf3a4c90fe31edffb1c6620ffc44
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 09867f7889eeb3fa7eea442a5f0aba5eea97be4c8777c72d2e854bef5aa2d994
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 54416E76E04229EFCB139F99D880AADBBB8FB46311F158166EC11AB260C771DE40DB40
                                                                                                                                                                                                  Function 003A85E6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53synchronizationthreadCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,003A8B21,?,?,00000000,crypt32.dll,00000000,00000001), ref: 003A85F3
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,003A8B21,?,?,00000000,crypt32.dll,00000000,00000001), ref: 003A85FD
                                                                                                                                                                                                  • GetExitCodeThread.KERNELBASE(00000001,00000000,?,003A8B21,?,?,00000000,crypt32.dll,00000000,00000001), ref: 003A863C
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,003A8B21,?,?,00000000,crypt32.dll,00000000,00000001), ref: 003A8646
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\core.cpp, xrefs: 003A8624, 003A866D
                                                                                                                                                                                                  • Failed to get cache thread exit code., xrefs: 003A8677
                                                                                                                                                                                                  • Failed to wait for cache thread to terminate., xrefs: 003A862E
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$CodeExitObjectSingleThreadWait
                                                                                                                                                                                                  • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$c:\agent\_work\36\s\wix\src\burn\engine\core.cpp
                                                                                                                                                                                                  • API String ID: 3686190907-1959897714
                                                                                                                                                                                                  • Opcode ID: 4096f6d57584248abc523c7d2da3e21234baedf1472813c76090c296067280ef
                                                                                                                                                                                                  • Instruction ID: a21f35fc76c1fc2ad77d4553374d6b856cbd88e898507dbc13deb9fe1d495f71
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4096f6d57584248abc523c7d2da3e21234baedf1472813c76090c296067280ef
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 93116170741256FBEB02EF62ED05BAE7BACDB01755F10421AFA04EA1E0DF75CA009B65
                                                                                                                                                                                                  Function 003AF0D7 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000001,003DE500,?,00000001,000000FF,?,?,00000000,00000000,00000001,00000000,?,003A9106), ref: 003AF20D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to create pipe and cache pipe., xrefs: 003AF15D
                                                                                                                                                                                                  • Failed to connect to elevated child process., xrefs: 003AF1F6
                                                                                                                                                                                                  • Failed to create pipe name and client token., xrefs: 003AF141
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\elevation.cpp, xrefs: 003AF10B
                                                                                                                                                                                                  • UX aborted elevation requirement., xrefs: 003AF115
                                                                                                                                                                                                  • Failed to elevate., xrefs: 003AF1EF
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                                  • String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$c:\agent\_work\36\s\wix\src\burn\engine\elevation.cpp
                                                                                                                                                                                                  • API String ID: 2962429428-2894792899
                                                                                                                                                                                                  • Opcode ID: 5416194623c05829886e7d88da94f2e4eed4bbdb9c37124bee361cdecdc3557f
                                                                                                                                                                                                  • Instruction ID: fcd42c00ce839d0fd8dc4846acc94af523c496390a73a88d20634f61c8c8fada
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5416194623c05829886e7d88da94f2e4eed4bbdb9c37124bee361cdecdc3557f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5131E872A45622FEEB17A2A0DC87FABA65CDF02770F100626F905BE1D1DB61AD004395
                                                                                                                                                                                                  Function 003D56CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(003FF764,00000000,?,?,?,003A5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,003971C0,?), ref: 003D56DD
                                                                                                                                                                                                  • CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,003FF75C,?,003A5ECA,00000000,Setup), ref: 003D5781
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,003A5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,003971C0,?,?,?), ref: 003D5791
                                                                                                                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,003A5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,003971C0,?), ref: 003D57CB
                                                                                                                                                                                                    • Part of subcall function 00394832: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 0039497C
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(003FF764,?,?,003FF75C,?,003A5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,003971C0,?), ref: 003D5824
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\logutil.cpp, xrefs: 003D57B0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\logutil.cpp
                                                                                                                                                                                                  • API String ID: 4111229724-4006286326
                                                                                                                                                                                                  • Opcode ID: 633c906598081b7be95bb998636c50227841da07d2273a7274ac50da673aa889
                                                                                                                                                                                                  • Instruction ID: fdf5ce4f9542ba9e500e543e119f1f3103dedc45809752b8c6097a547ed5bcbe
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 633c906598081b7be95bb998636c50227841da07d2273a7274ac50da673aa889
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA314273A01629EFDB13BF60ED85E7A7A6CAF00790F154126FE01AA261D730CD14DBA0
                                                                                                                                                                                                  Function 0039902C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 91COMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,003975EF,00000100,00000100,00000000,?,00000001,00000000,00000100), ref: 0039903E
                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,003975EF,00000100,00000100,00000000,?,00000001,00000000,00000100), ref: 0039911D
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to format value '%ls' of variable: %ls, xrefs: 003990E7
                                                                                                                                                                                                  • Failed to get value as string for variable: %ls, xrefs: 0039910C
                                                                                                                                                                                                  • Failed to get variable: %ls, xrefs: 0039907F
                                                                                                                                                                                                  • Failed to get unformatted string., xrefs: 003990AE
                                                                                                                                                                                                  • *****, xrefs: 003990D9, 003990E6
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                  • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
                                                                                                                                                                                                  • API String ID: 3168844106-2873099529
                                                                                                                                                                                                  • Opcode ID: 8b196a32d6cd56acfabc6288be2c11702600d3e8e53bcda8a9557f39cb7beeb5
                                                                                                                                                                                                  • Instruction ID: 7efade4fb0288345a70012ba9c033a583aebef65262d64141d1e4ad0d3a2f175
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b196a32d6cd56acfabc6288be2c11702600d3e8e53bcda8a9557f39cb7beeb5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D131C33690062AFBCF236F54CC06B9E7B68FF10325F10421AF9146A251D771EA909BD5
                                                                                                                                                                                                  Function 00394143 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 98memoryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00394174
                                                                                                                                                                                                  • GlobalAlloc.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 003941A1
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,?,00000000), ref: 003941CD
                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,003DE564,?,00000000,?,00000000,?,00000000), ref: 0039420B
                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 0039423C
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLast$Global$AllocFree
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                                                                                                                                                                                  • API String ID: 1145190524-1339450348
                                                                                                                                                                                                  • Opcode ID: 5d2509a55e83d6993574eb690b727b7c1382b3fceb5f85d8e2fb31a3d4523ffe
                                                                                                                                                                                                  • Instruction ID: 2976114f7ba2c611ef5ffe0e7dc41d532f8b66aa27ddde7701afc4b693f74ea1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5d2509a55e83d6993574eb690b727b7c1382b3fceb5f85d8e2fb31a3d4523ffe
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E31A43BA40239ABCB239B95DD41EAFBAB8EF54750F124266FD44EB341E630DD0186D0
                                                                                                                                                                                                  Function 003B05D1 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • DefWindowProcW.USER32(?,00000082,?,?), ref: 003B0600
                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EB,00000000), ref: 003B060F
                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EB,?), ref: 003B0623
                                                                                                                                                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 003B0633
                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EB), ref: 003B064D
                                                                                                                                                                                                  • PostQuitMessage.USER32(00000000), ref: 003B06AC
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Window$Long$Proc$MessagePostQuit
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3812958022-0
                                                                                                                                                                                                  • Opcode ID: 97b9e092bf5015213913ca3d21c0341810f6626176f31c825b25c44f48397c07
                                                                                                                                                                                                  • Instruction ID: b17290e1adff618f56c136f1453e5b1a8c92e0872c3f9c948ffc31dd0d58132c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97b9e092bf5015213913ca3d21c0341810f6626176f31c825b25c44f48397c07
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0221AE76104208AFDF06AF68DC49EAA3F69EF99324F154619FA069F1A0C631DD20DB60
                                                                                                                                                                                                  Function 003B2656 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 003B26FC
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?), ref: 003B2706
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 003B272A
                                                                                                                                                                                                  • Invalid seek type., xrefs: 003B2692
                                                                                                                                                                                                  • Failed to move file pointer 0x%x bytes., xrefs: 003B2737
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastPointer
                                                                                                                                                                                                  • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 2976181284-2134847726
                                                                                                                                                                                                  • Opcode ID: dd890eaeda96e74ddb925670455019e273ad5d63d71d2562e17570be54121ce2
                                                                                                                                                                                                  • Instruction ID: d53a1bae2713f091d310408961cceaeef203b5963f5709b0002c23ffad77219d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: dd890eaeda96e74ddb925670455019e273ad5d63d71d2562e17570be54121ce2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E231A176A0012AFFCB06DF58DC85EAAB7B8FF04358B018215FA149BA51D770ED108B90
                                                                                                                                                                                                  Function 003D82C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • <, xrefs: 003D8308
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\shelutil.cpp, xrefs: 003D8341
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseErrorExecuteHandleLastShell
                                                                                                                                                                                                  • String ID: <$c:\agent\_work\36\s\wix\src\libs\dutil\shelutil.cpp
                                                                                                                                                                                                  • API String ID: 3023784893-1758181408
                                                                                                                                                                                                  • Opcode ID: 69baa24a80c3128d24f4d8536d49b680c7b892c023da7fbd2d8d480d3c022ee1
                                                                                                                                                                                                  • Instruction ID: 345b26aa7507b3d2ff82a25397b2ec077af9162f9997efdfec9d8b2371a71865
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 69baa24a80c3128d24f4d8536d49b680c7b892c023da7fbd2d8d480d3c022ee1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A921B7BAE11229ABCB11CFA9D945ADEBBF8BF08B50F11411AE905F7340D7749A00CF90
                                                                                                                                                                                                  Function 00395711 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RegEnumKeyExW.KERNELBASE(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,003BA97E), ref: 0039576C
                                                                                                                                                                                                  • RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,003BA97E,00000000), ref: 0039578A
                                                                                                                                                                                                  • RegEnumKeyExW.KERNELBASE(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,003BA97E,00000000,00000000,00000000), ref: 003957E0
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp, xrefs: 003957B0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Enum$InfoQuery
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp
                                                                                                                                                                                                  • API String ID: 73471667-90795250
                                                                                                                                                                                                  • Opcode ID: 95e76aece11d675114a530410152873d2b682a4e4e6f73285a5f9e20ad1c5fee
                                                                                                                                                                                                  • Instruction ID: a9f5fbf0f88a27160f09ef18870a8260e1d301ddb212cd7d2b997656620ff185
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95e76aece11d675114a530410152873d2b682a4e4e6f73285a5f9e20ad1c5fee
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A731437690592AFBEF138AD4CD94AAFBB6DEF047A0F114065FD01AB110D6319F9097E0
                                                                                                                                                                                                  Function 003BA67E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0039582C: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000001,003FEBD4,00000000,?,003D8E2A,80000002,00000000,00020019,?,SOFTWARE\Policies\,00000000,00000000), ref: 00395840
                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,003BA9BA,00000000,00000000), ref: 003BA73B
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to open uninstall key for potential related bundle: %ls, xrefs: 003BA6AA
                                                                                                                                                                                                  • Failed to ensure there is space for related bundles., xrefs: 003BA6EE
                                                                                                                                                                                                  • Failed to initialize package from related bundle id: %ls, xrefs: 003BA721
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                                  • String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
                                                                                                                                                                                                  • API String ID: 47109696-1717420724
                                                                                                                                                                                                  • Opcode ID: 9b20694d1d795fd0e4e4966ee1b4321fd83b2d0448b51da27a207eae517968cf
                                                                                                                                                                                                  • Instruction ID: 7a3089a24315c8aa1921f0a7d5ce17b689f5088f7027673d8cb9c55112f202d9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9b20694d1d795fd0e4e4966ee1b4321fd83b2d0448b51da27a207eae517968cf
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8521CF72980E19FBDF138A90DC46FEE7BB8EF10348F100111FA01AA550DB71AE20EB81
                                                                                                                                                                                                  Function 003B25C1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 003B2FDB: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,003B25F0,?,?,?), ref: 003B3003
                                                                                                                                                                                                    • Part of subcall function 003B2FDB: GetLastError.KERNEL32(?,003B25F0,?,?,?), ref: 003B300D
                                                                                                                                                                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 003B25FE
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 003B2608
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 003B262C
                                                                                                                                                                                                  • Failed to read during cabinet extraction., xrefs: 003B2636
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLast$PointerRead
                                                                                                                                                                                                  • String ID: Failed to read during cabinet extraction.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 2170121939-1889023893
                                                                                                                                                                                                  • Opcode ID: 95651359605658ed2d4d6ffedf176b9141c51bb1bf4165bdd492360f6bbb8cfa
                                                                                                                                                                                                  • Instruction ID: e922e28e583fb389d5091034fa84ac5bcda6f9a784c7a2c350459be0a49102ae
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95651359605658ed2d4d6ffedf176b9141c51bb1bf4165bdd492360f6bbb8cfa
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B01A536A41179BBCB129F55DD05E9B7FA8FF04764F010215FE04AB690D770D9118AD0
                                                                                                                                                                                                  Function 0039F5C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryloaderCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 0039F5E8
                                                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,?,003965A9,00000000,?,?,00397154,?,?), ref: 0039F5F7
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,003965A9,00000000,?,?,00397154,?,?), ref: 0039F601
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • BootstrapperApplicationDestroy, xrefs: 0039F5E0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AddressErrorFreeLastLibraryProc
                                                                                                                                                                                                  • String ID: BootstrapperApplicationDestroy
                                                                                                                                                                                                  • API String ID: 1144718084-3186005537
                                                                                                                                                                                                  • Opcode ID: 4299a24421b50b4ad70478afb4797dde9879997d19d2312cd6725136fb4b1c11
                                                                                                                                                                                                  • Instruction ID: 8a697c6f44e7bf768807a77ffa13649872ef76e2b1d6d79d5094acc3b2af860f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4299a24421b50b4ad70478afb4797dde9879997d19d2312cd6725136fb4b1c11
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77F06832701626AFCB135F66E804B26FBA8BF10762B128235E455DB560C731EC50CBD4
                                                                                                                                                                                                  Function 003B1055 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 003B106A
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 003B1074
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to post shutdown message., xrefs: 003B10A2
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 003B1098
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorLastMessagePostThread
                                                                                                                                                                                                  • String ID: Failed to post shutdown message.$c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp
                                                                                                                                                                                                  • API String ID: 2609174426-3792247793
                                                                                                                                                                                                  • Opcode ID: 76d7bdb872036615b5a394487cbad3f64eda3dcfbe76848bac6679d156d16f5e
                                                                                                                                                                                                  • Instruction ID: c702976df2ce70e66697b1d73ebfa43834a59720a8981292598aa275d14f0a67
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 76d7bdb872036615b5a394487cbad3f64eda3dcfbe76848bac6679d156d16f5e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 94F0EC3764167527C3233699AC09EDB7F98AF00BA1F024112FE44BF5C1F661DC0046D0
                                                                                                                                                                                                  Function 003B238E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • SetEvent.KERNEL32(?,00000000,?,003B32E3,00000000,00000000,?,0039DF87,00000000,?,?,003BC907,?,00000000,?,?), ref: 003B2398
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,003B32E3,00000000,00000000,?,0039DF87,00000000,?,?,003BC907,?,00000000,?,?,?,00000000), ref: 003B23A2
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 003B23C6
                                                                                                                                                                                                  • Failed to set begin operation event., xrefs: 003B23D0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorEventLast
                                                                                                                                                                                                  • String ID: Failed to set begin operation event.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                                                                  • API String ID: 3848097054-2329002262
                                                                                                                                                                                                  • Opcode ID: 352c9cb62c6ac416d81d4d049c52171b7e6cb595867b8878f4c972b0ea0c20e9
                                                                                                                                                                                                  • Instruction ID: 6ea8fb76d3d37b828b08fe166b9ae5bda34aee99f34a02af7034066f4ad3755a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 352c9cb62c6ac416d81d4d049c52171b7e6cb595867b8878f4c972b0ea0c20e9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DDF0EC3BA416756793133696AC45ADB7BDC4F00BA5B020326FF05FFB40EA699C0046E5
                                                                                                                                                                                                  Function 003935C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00393659
                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 003936BC
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 003936E0
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastRead
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                                                                                                                                                                                  • API String ID: 1948546556-1339450348
                                                                                                                                                                                                  • Opcode ID: 40a129dca47a025e1739ab7c7c8ffd89d8db17311605ee1a2236290159e821b0
                                                                                                                                                                                                  • Instruction ID: c5119bbba83732b5fa2880468e92ad5058a0d053e73e7d626c0376d1f88b8579
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 40a129dca47a025e1739ab7c7c8ffd89d8db17311605ee1a2236290159e821b0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D63193B1A00269ABDF22DF54CC907EA77B4FB08751F0140AAE949EB340D6B4DEC48F91
                                                                                                                                                                                                  Function 003A7474 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • CoInitializeEx.OLE32(00000000,00000000), ref: 003A7491
                                                                                                                                                                                                  • CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 003A74EA
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • Failed to initialize COM on cache thread., xrefs: 003A74A6
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: InitializeUninitialize
                                                                                                                                                                                                  • String ID: Failed to initialize COM on cache thread.
                                                                                                                                                                                                  • API String ID: 3442037557-3629645316
                                                                                                                                                                                                  • Opcode ID: 490ed15ea411bde7ae8ba353f95e49544b138a1d55f13a57ce8b576b34756214
                                                                                                                                                                                                  • Instruction ID: 67f30ae4920162cf4e2fb10f6f2658a14505b00966efe289cdee704c098a9560
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 490ed15ea411bde7ae8ba353f95e49544b138a1d55f13a57ce8b576b34756214
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EA016176600519BFDB069FA5DC84DEAFFACFF09354F014126F50997221DB70AD508B90
                                                                                                                                                                                                  Function 0039450A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,00393680,?,?,?), ref: 0039452E
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00393680,?,?,?), ref: 00394538
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  • c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 00394561
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                                                                                  • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                                                                                                                                                                                  • API String ID: 442123175-1339450348
                                                                                                                                                                                                  • Opcode ID: 5062a72d761a70975b5d305332bde452b0b9a21fe1b347ff4b1d12f8d2449552
                                                                                                                                                                                                  • Instruction ID: 2c84524783ef1bba5ab7bc0bfd71bce0e648b85b53c39d348b80f8e859761ace
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5062a72d761a70975b5d305332bde452b0b9a21fe1b347ff4b1d12f8d2449552
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2CF03173A01139ABCB129EDADD45E9FBB6DAB45751F020116F914EB140D670EE0196E0
                                                                                                                                                                                                  Function 00391070 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 003910DA
                                                                                                                                                                                                    • Part of subcall function 00391C00: GetFileAttributesW.KERNELBASE(00000000,00000000,?,003AC134,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,?), ref: 00391C09
                                                                                                                                                                                                    • Part of subcall function 00393B2C: FindFirstFileW.KERNELBASE(?,?,?,00000000,?), ref: 00393B67
                                                                                                                                                                                                    • Part of subcall function 00393B2C: FindClose.KERNEL32(00000000), ref: 00393B73
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: FileFind$AttributesCloseExitFirstProcess
                                                                                                                                                                                                  • String ID: %ls.local$Comctl32.dll
                                                                                                                                                                                                  • API String ID: 3456499317-3877841543
                                                                                                                                                                                                  • Opcode ID: 3093588c4ef613c201bb448b45e9f2390789f55bd89969422d710602fce7705e
                                                                                                                                                                                                  • Instruction ID: 0c549b21afcb21a3f6e211b3121d38d4559cefadcd472578c551c67ebd8c2838
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3093588c4ef613c201bb448b45e9f2390789f55bd89969422d710602fce7705e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90F0317690121ABADF22A752DD0AEDF7EB99F10398F100151B804B5111F7719B50D6A1
                                                                                                                                                                                                  Function 003913CA Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00391409
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?), ref: 00391413
                                                                                                                                                                                                  • LoadLibraryW.KERNELBASE(?,?,00000104,?,?,?), ref: 0039147C
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: DirectoryErrorLastLibraryLoadSystem
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1230559179-0
                                                                                                                                                                                                  • Opcode ID: f6de23a3fdebc0848880becb08d2191567efe863adb1be1c3cdb71ee7c14baaa
                                                                                                                                                                                                  • Instruction ID: 0d9f448581aeb25d69201e649df8668ca472c06b7b34489271f618ec80d86fa0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f6de23a3fdebc0848880becb08d2191567efe863adb1be1c3cdb71ee7c14baaa
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0821F8B6D0133A67DF229B65DC49F9B77BCAB04764F124165EE04FB241D630DD408BA0
                                                                                                                                                                                                  Function 003951AE Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,003D5465,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,003D53F9,000001C7), ref: 003951B8
                                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,?,003D5465,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,003D53F9,000001C7,?,?), ref: 003951BF
                                                                                                                                                                                                  • GetLastError.KERNEL32(?,003D5465,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,003D53F9,000001C7,?,?), ref: 003951C9
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$ErrorFreeLastProcess
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 406640338-0
                                                                                                                                                                                                  • Opcode ID: e9a14cff06881fcb1e24d841d668d9c3b3bae8647c95fb27cc3fef6ba820653c
                                                                                                                                                                                                  • Instruction ID: 86642c5a0d16d44cc14cfe4278a25dd1a6d358c09499b27602c6bf7275e855bf
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e9a14cff06881fcb1e24d841d668d9c3b3bae8647c95fb27cc3fef6ba820653c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 45D01273A01535678A2327E6EC0C6577F5CEF157A2B034122FD04DB110D635CC1087E5
                                                                                                                                                                                                  Function 003B06B9 Relevance: 4.5, APIs: 3, Instructions: 19synchronizationwindowCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • IsWindow.USER32(?), ref: 003B06C6
                                                                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003B06DC
                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,00003A98,?,0039690B,?,?,?,?,?,003DE4A0,?,?,?,?,?,?), ref: 003B06ED
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: MessageObjectPostSingleWaitWindow
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1391784381-0
                                                                                                                                                                                                  • Opcode ID: ea8a7d98641066cbcc3a6c70684facbbd666de96e5fd44e4ede4fe6a4e97bf84
                                                                                                                                                                                                  • Instruction ID: e3e41ed08f564c407c5b9cf67975d7a0a77f0717be8fba7aaba2b8ed48794f34
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ea8a7d98641066cbcc3a6c70684facbbd666de96e5fd44e4ede4fe6a4e97bf84
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02E08C32280304BBD7232B60EC09FEA7F6CFB04B41F080526B256AA1E0C6A169609B44
                                                                                                                                                                                                  Function 003A1431 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41registryCOMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                    • Part of subcall function 0039582C: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000001,003FEBD4,00000000,?,003D8E2A,80000002,00000000,00020019,?,SOFTWARE\Policies\,00000000,00000000), ref: 00395840
                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,003A9994,?,?,?), ref: 003A1495
                                                                                                                                                                                                    • Part of subcall function 003958E0: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000078,003D9B90,00000000,?,?,?,003D8E7E,00000000,?,003D9B90,00000078), ref: 00395905
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                  • String ID: Installed
                                                                                                                                                                                                  • API String ID: 3677997916-3662710971
                                                                                                                                                                                                  • Opcode ID: 4082d7e590ab5bc1e860937ae71d98c7c153d355d8ab16a7407623e2d53056ea
                                                                                                                                                                                                  • Instruction ID: 166aac8b01ed801c5ddd9ee3914891c989e530ec454d5e0dd66d06ef5468caa1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4082d7e590ab5bc1e860937ae71d98c7c153d355d8ab16a7407623e2d53056ea
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C016236920124FFCF12DB99C846BDDBBB8EF09755F118165F900AB150D3759E40DB90
                                                                                                                                                                                                  Function 003D4630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 003D4648
                                                                                                                                                                                                    • Part of subcall function 003BFE24: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BFE2F
                                                                                                                                                                                                    • Part of subcall function 003BFE24: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BFE97
                                                                                                                                                                                                    • Part of subcall function 003BFE24: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BFEA8
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                                  • String ID: h?
                                                                                                                                                                                                  • API String ID: 697777088-3363036698
                                                                                                                                                                                                  • Opcode ID: 25e573c1b016bf3720750cb925d031aa6d593b349bb97024fad5c086f22fd706
                                                                                                                                                                                                  • Instruction ID: f96d68a1cd6ed6d007ce0970e4914495686b4882b1b786a183256d549646d1e4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25e573c1b016bf3720750cb925d031aa6d593b349bb97024fad5c086f22fd706
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88B012D629C205BE79071211BC02C77410CC0C1B21330526BF201C8552E440DC404035
                                                                                                                                                                                                  Function 003D4661 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 003D4648
                                                                                                                                                                                                    • Part of subcall function 003BFE24: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BFE2F
                                                                                                                                                                                                    • Part of subcall function 003BFE24: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BFE97
                                                                                                                                                                                                    • Part of subcall function 003BFE24: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BFEA8
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                                  • String ID: l?
                                                                                                                                                                                                  • API String ID: 697777088-1039366362
                                                                                                                                                                                                  • Opcode ID: db573ff7faacade6c7d93c9916b1af80bd9a320ce9965b601302d37025a54861
                                                                                                                                                                                                  • Instruction ID: 8683549a680714665722a780fcac30121d932f62bbcca1b11118bb3c77751f3b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: db573ff7faacade6c7d93c9916b1af80bd9a320ce9965b601302d37025a54861
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 43B012C62AC105AE75075214BC02C77414CC0C1B11330912BF605C9652E440CC000032
                                                                                                                                                                                                  Function 003D4651 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 003D4648
                                                                                                                                                                                                    • Part of subcall function 003BFE24: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BFE2F
                                                                                                                                                                                                    • Part of subcall function 003BFE24: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BFE97
                                                                                                                                                                                                    • Part of subcall function 003BFE24: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BFEA8
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                                  • String ID: d?
                                                                                                                                                                                                  • API String ID: 697777088-226702107
                                                                                                                                                                                                  • Opcode ID: 78a49b1039f033841a18cf5cc736ebe5323a3db2342df8618f0446b7c93245ed
                                                                                                                                                                                                  • Instruction ID: 2fa2a37f9a0e8485e6df10e84f5a5d461b05e4d02832303deddd3d814222f95d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 78a49b1039f033841a18cf5cc736ebe5323a3db2342df8618f0446b7c93245ed
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EB012C629C205AE75075214BD02C77414CD0C1B11330512BF205C9652E440CC010032
                                                                                                                                                                                                  Function 00395286 Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(?,000001C7,?,?,00392D49,000001C7,?,00000001,80004005,8007139F,?,?,003D5417,8007139F,?,00000000), ref: 0039529A
                                                                                                                                                                                                  • RtlReAllocateHeap.NTDLL(00000000,?,00392D49,000001C7,?,00000001,80004005,8007139F,?,?,003D5417,8007139F,?,00000000,00000000,8007139F), ref: 003952A1
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$AllocateProcess
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1357844191-0
                                                                                                                                                                                                  • Opcode ID: 2a9bcd5e147db48f876ec97a0c9ae3d6079be000172d07a8cb5cc86ca6ca705e
                                                                                                                                                                                                  • Instruction ID: a3e79036f3b62616bdab71515d53baf3ec2c1fad9efc4de3b21129c17cd69243
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a9bcd5e147db48f876ec97a0c9ae3d6079be000172d07a8cb5cc86ca6ca705e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FDD0C932250209AB9F026FA8EC09DAA3BACEB58712B008406B915C6110D639E4609A60
                                                                                                                                                                                                  Function 003950E9 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(?,000001C7,?,00392D50,?,00000001,80004005,8007139F,?,?,003D5417,8007139F,?,00000000,00000000,8007139F), ref: 003950FA
                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00392D50,?,00000001,80004005,8007139F,?,?,003D5417,8007139F,?,00000000,00000000,8007139F), ref: 00395101
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: Heap$AllocateProcess
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1357844191-0
                                                                                                                                                                                                  • Opcode ID: cb6499c54747a21250b20e134fb2444893e7f432e3f966630877fdd00ade1776
                                                                                                                                                                                                  • Instruction ID: 4ac2e8fa022caba249d2dfcb493dc0e0ab79527c4ad7a8aba6ffb279ce7be01a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb6499c54747a21250b20e134fb2444893e7f432e3f966630877fdd00ade1776
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DC012322A0218AB8F026FF8EC0AC9A3FACAB28702B008402B905CA050D638E0108B61
                                                                                                                                                                                                  Function 003BB6B4 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: __aulldiv
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 3732870572-0
                                                                                                                                                                                                  • Opcode ID: 791b3b90047989d94a42de99cf6d4bec96dccaa6693d3084432fc0239e0ab826
                                                                                                                                                                                                  • Instruction ID: 166c0c30f2817259eea81d98de388e8360a3dc77c20e466ebd3803d5710dd34e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 791b3b90047989d94a42de99cf6d4bec96dccaa6693d3084432fc0239e0ab826
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17312B75600604AFDB25CF55C8819AAF7FAFF883587244919F642CBA10CB71EC51DB60
                                                                                                                                                                                                  Function 003CA2D2 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,003CC8E6,?,?,003CC8E6,00000220,?,?,?), ref: 003CA304
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000005.00000002.1618564790.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618538383.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618642595.00000000003FE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  • Associated: 00000005.00000002.1618668985.0000000000401000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_390000_dotnet-runtime-8.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                  • Opcode ID: e9ff988048ec98089de30d2b1b45336e37df3e9fbb0e9698fad215a78d0377e2
                                                                                                                                                                                                  • Instruction ID: 79cc3d9fd13b2f83f8df384f29c4ef9169ba3f1de8494912ffd008a51f473452
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e9ff988048ec98089de30d2b1b45336e37df3e9fbb0e9698fad215a78d0377e2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0E0E535200A396ADA232761AC04F6A764CAF023A4F170529EE49DA590CB22EC4093E6